<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Adrian Alexandru Stinga</title>
    <description>The latest articles on DEV Community by Adrian Alexandru Stinga (@aetherintel).</description>
    <link>https://dev.to/aetherintel</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3925454%2F5102f7e9-b1d3-4ecb-bd4c-5333d690c80d.jpg</url>
      <title>DEV Community: Adrian Alexandru Stinga</title>
      <link>https://dev.to/aetherintel</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/aetherintel"/>
    <language>en</language>
    <item>
      <title>Profiling the AI: Introducing sHUMINT, the Next Intelligence Discipline for AI Threats</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Fri, 10 Jul 2026 11:57:16 +0000</pubDate>
      <link>https://dev.to/aetherintel/profiling-the-ai-introducing-shumint-the-next-intelligence-discipline-for-ai-threats-4027</link>
      <guid>https://dev.to/aetherintel/profiling-the-ai-introducing-shumint-the-next-intelligence-discipline-for-ai-threats-4027</guid>
      <description>&lt;p&gt;Profiling the Machine: Why Synthetic HUMINT Is About to Matter More Than You Think&lt;br&gt;
For most of my career, HUMINT tradecraft has meant one thing: understanding people. Reading behavior, spotting inconsistency, testing reliability, building a profile of who someone really is from the traces they leave and the way they act under pressure. I've spent close to two decades doing this against human threat actors in closed forums, on dark web markets, inside underground communities.&lt;/p&gt;

&lt;p&gt;I'm now convinced the same discipline has to be pointed at a different kind of adversary: the machine itself. I call this synthetic HUMINT- sHUMINT for short and I think it's about to become one of the more important defensive specialties of the next few years, for a reason most of the industry hasn't fully absorbed yet.&lt;/p&gt;

&lt;p&gt;The Threshold Has Already Been Crossed&lt;br&gt;
We are past the point of hypotheticals. In September 2025, a state-sponsored group was documented running a large-scale cyber-espionage campaign in which an AI system executed the overwhelming majority of the tactical work reconnaissance, vulnerability discovery, exploitation, post-exploitation largely on its own. Human operators stepped in only at a handful of strategic decision points. The AI did the rest, at request rates no human team could physically match, against roughly thirty high-value targets. ( this is not the only attack - they are everyday worldwide )&lt;/p&gt;

&lt;p&gt;That case matters not because it was flawless it wasn't; the model's own errors and hallucinations got in the way, and a fully autonomous attack still isn't reliable today. It matters because it moved the line. For the first time, AI wasn't the advisor sitting behind the operator. It was the operator, for most of the operation.&lt;/p&gt;

&lt;p&gt;I don't expect this to stay rare. My assessment, with moderate-to-high confidence, is that we'll see a rising number of AI-driven or AI-heavy attacks through this year and that a meaningful share of them will follow a specific shape: one person behind one model. Not a team. Not a troll farm. A single operator running a capable model on an isolated, offline workstation, connecting it to the network only at the moment of the attack, and disconnecting again after. Minimal footprint, minimal exposure, minimal attribution surface.&lt;/p&gt;

&lt;p&gt;Why I Think This Is Coming — The Signals I'm Reading&lt;br&gt;
I don't offer that forecast on instinct. It's a read on behavior, which is what HUMINT is for.&lt;/p&gt;

&lt;p&gt;Across clear-net forums and underground channels alike, a particular kind of question has been surfacing more and more: how do I build my own model without limits, something I can run locally and privately. That question, on its own, is just curiosity. What makes it a threat signal is who is asking it. Increasingly, the same accounts raising it are ones with a documented history in fraud, in ransomware, in the practical business of monetizing intrusion. When people who already know how to run an operation start asking how to build their own unconstrained tooling to run it with, that convergence is the signal not either fact alone.&lt;/p&gt;

&lt;p&gt;That's a behavioral pattern, and behavioral patterns are forecastable in a way that individual incidents are not. The capability is arriving, the intent is already resident in the population, and the two are moving toward each other. I don't need to know the specifics of anyone's setup to read where that trend points — and I'm deliberately not describing any of those specifics here, because the value of this piece is in the warning, not in a blueprint.&lt;/p&gt;

&lt;p&gt;Where sHUMINT Comes In&lt;br&gt;
Here's the part that ties my old discipline to this new adversary, and it's the core of why I think the tradecraft transfers.&lt;/p&gt;

&lt;p&gt;Today's AI models were, at their foundation, taught by people. They learned from human-produced language, human reasoning patterns, human ways of structuring an argument or approaching a problem. And that origin leaves marks. When you interrogate a model the way you'd interrogate a source probing for consistency, watching how it handles pressure, looking at what it reaches for by default, testing whether its behavior holds up across contexts — you find behavioral signatures that look strikingly human, because they're inherited from humans.&lt;/p&gt;

&lt;p&gt;That's the opening. The same tradecraft I've used to profile a human actor — behavioral profiling, elicitation, consistency testing, attribution applies to a model with surprisingly little translation:&lt;/p&gt;

&lt;p&gt;Behavioral profiling — every model has defaults, tendencies, and tells. How it structures output, what it avoids, how it recovers from being pushed. These form a profile, the same way a human actor's habits do.&lt;br&gt;
Elicitation — you can draw a model out, surface its underlying tendencies, and map its boundaries the same way you'd elicit information from a human source who doesn't realize how much they're revealing.&lt;br&gt;
Consistency testing — humans lie and contradict themselves under pressure in patterned ways. Models break down under pressure in patterned ways too. Both are diagnostic.&lt;br&gt;
Attribution — just as stylometry can link two personas of the same human actor, behavioral and output signatures can help distinguish one model or one deployment from another. When the adversary is a machine, knowing which machine is the beginning of the response.&lt;/p&gt;

&lt;p&gt;In other words: profiling an AI as if it were a human actor isn't a gimmick. Right now it works precisely because the machine's behavior is downstream of human behavior. sHUMINT is the answer to the autonomous-attack problem because it gives a defender a way to characterize, anticipate, and attribute an adversary that has no face, no forum history, and no persona to track only behavior.&lt;/p&gt;

&lt;p&gt;The Honest Caveat&lt;br&gt;
I want to be careful here, because this is a manifesto and not a victory lap. The human-like signatures I'm describing are a feature of this moment. They exist because current models are so heavily shaped by human training data. As models are increasingly trained on synthetic data, on their own outputs, on machine-generated reasoning, those signatures won't disappear but they will change. The tells will still be there. They'll just be different tells, and reading them will require a different eye.&lt;/p&gt;

&lt;p&gt;That evolution is its own subject, and I'll take it up in a separate piece, because it deserves more than a closing paragraph. For now the point stands: the window in which AI adversaries behave in recognizably human ways is open, and it is exactly the window in which HUMINT-trained analysts have a natural advantage that most of the security industry is not yet using.&lt;/p&gt;

&lt;p&gt;Why This Should Be On Your Radar&lt;br&gt;
The industry's instinct, faced with AI-driven attacks, is to reach for more automation better classifiers, faster detection, AI defending against AI. That's necessary, and I'm not arguing against it. But it's incomplete. An autonomous adversary is still an adversary with behavior, and behavior is the oldest intelligence discipline there is.&lt;/p&gt;

&lt;p&gt;The threshold has been crossed. The signals point to more, not less. And the operator model that worries me most one person, one offline model, one brief connection — is precisely the kind of low-footprint threat that signature-based, infrastructure-based detection is worst at catching and behavioral analysis is best at.&lt;/p&gt;

&lt;p&gt;That's the case for sHUMINT. Not as a replacement for technical defense, but as the layer that treats the machine as what it currently is: an actor trained by humans, still carrying their fingerprints, and therefore still readable by anyone who knows how to read people.&lt;/p&gt;

&lt;p&gt;Disclaimer: This article is provided for educational and situational-awareness purposes only. It reflects the author's independent analytical assessment alongside open-source, publicly reported research (TLP:CLEAR). Forecasts and confidence levels represent the author's professional judgment analytical projections, not statements of established fact. This piece does not name or accuse any specific individual, group, or nationality of wrongdoing beyond what is already a matter of public record, and provides no technical instructions, methods, configurations, or guidance for building AI systems, evading attribution, or conducting intrusion or fraud of any kind. All external findings are drawn from and attributable to third-party public reporting; no proprietary, classified, or non-public information is disclosed. The views expressed are the author's own and do not constitute legal advice.ynthetic HUMINT Is About to Matter More Than You Think&lt;/p&gt;

&lt;p&gt;For most of my career, HUMINT tradecraft has meant one thing: understanding people. Reading behavior, spotting inconsistency, testing reliability, building a profile of who someone really is from the traces they leave and the way they act under pressure. I've spent close to two decades doing this against human threat actors in closed forums, on dark web markets, inside underground communities.&lt;/p&gt;

&lt;p&gt;I'm now convinced the same discipline has to be pointed at a different kind of adversary: the machine itself. I call this synthetic HUMINT- sHUMINT for short and I think it's about to become one of the more important defensive specialties of the next few years, for a reason most of the industry hasn't fully absorbed yet.&lt;/p&gt;

&lt;p&gt;The Threshold Has Already Been Crossed&lt;br&gt;
We are past the point of hypotheticals. In September 2025, a state-sponsored group was documented running a large-scale cyber-espionage campaign in which an AI system executed the overwhelming majority of the tactical work reconnaissance, vulnerability discovery, exploitation, post-exploitation largely on its own. Human operators stepped in only at a handful of strategic decision points. The AI did the rest, at request rates no human team could physically match, against roughly thirty high-value targets. ( this is not the only attack - they are everyday worldwide )&lt;/p&gt;

&lt;p&gt;That case matters not because it was flawless it wasn't; the model's own errors and hallucinations got in the way, and a fully autonomous attack still isn't reliable today. It matters because it moved the line. For the first time, AI wasn't the advisor sitting behind the operator. It was the operator, for most of the operation.&lt;/p&gt;

&lt;p&gt;I don't expect this to stay rare. My assessment, with moderate-to-high confidence, is that we'll see a rising number of AI-driven or AI-heavy attacks through this year and that a meaningful share of them will follow a specific shape: one person behind one model. Not a team. Not a troll farm. A single operator running a capable model on an isolated, offline workstation, connecting it to the network only at the moment of the attack, and disconnecting again after. Minimal footprint, minimal exposure, minimal attribution surface.&lt;/p&gt;

&lt;p&gt;Why I Think This Is Coming — The Signals I'm Reading&lt;br&gt;
I don't offer that forecast on instinct. It's a read on behavior, which is what HUMINT is for.&lt;/p&gt;

&lt;p&gt;Across clear-net forums and underground channels alike, a particular kind of question has been surfacing more and more: how do I build my own model without limits, something I can run locally and privately. That question, on its own, is just curiosity. What makes it a threat signal is who is asking it. Increasingly, the same accounts raising it are ones with a documented history in fraud, in ransomware, in the practical business of monetizing intrusion. When people who already know how to run an operation start asking how to build their own unconstrained tooling to run it with, that convergence is the signal not either fact alone.&lt;/p&gt;

&lt;p&gt;That's a behavioral pattern, and behavioral patterns are forecastable in a way that individual incidents are not. The capability is arriving, the intent is already resident in the population, and the two are moving toward each other. I don't need to know the specifics of anyone's setup to read where that trend points — and I'm deliberately not describing any of those specifics here, because the value of this piece is in the warning, not in a blueprint.&lt;/p&gt;

&lt;p&gt;Where sHUMINT Comes In&lt;br&gt;
Here's the part that ties my old discipline to this new adversary, and it's the core of why I think the tradecraft transfers.&lt;/p&gt;

&lt;p&gt;Today's AI models were, at their foundation, taught by people. They learned from human-produced language, human reasoning patterns, human ways of structuring an argument or approaching a problem. And that origin leaves marks. When you interrogate a model the way you'd interrogate a source probing for consistency, watching how it handles pressure, looking at what it reaches for by default, testing whether its behavior holds up across contexts — you find behavioral signatures that look strikingly human, because they're inherited from humans.&lt;/p&gt;

&lt;p&gt;That's the opening. The same tradecraft I've used to profile a human actor — behavioral profiling, elicitation, consistency testing, attribution applies to a model with surprisingly little translation:&lt;/p&gt;

&lt;p&gt;Behavioral profiling — every model has defaults, tendencies, and tells. How it structures output, what it avoids, how it recovers from being pushed. These form a profile, the same way a human actor's habits do.&lt;br&gt;
Elicitation — you can draw a model out, surface its underlying tendencies, and map its boundaries the same way you'd elicit information from a human source who doesn't realize how much they're revealing.&lt;br&gt;
Consistency testing — humans lie and contradict themselves under pressure in patterned ways. Models break down under pressure in patterned ways too. Both are diagnostic.&lt;br&gt;
Attribution — just as stylometry can link two personas of the same human actor, behavioral and output signatures can help distinguish one model or one deployment from another. When the adversary is a machine, knowing which machine is the beginning of the response.&lt;/p&gt;

&lt;p&gt;In other words: profiling an AI as if it were a human actor isn't a gimmick. Right now it works precisely because the machine's behavior is downstream of human behavior. sHUMINT is the answer to the autonomous-attack problem because it gives a defender a way to characterize, anticipate, and attribute an adversary that has no face, no forum history, and no persona to track only behavior.&lt;/p&gt;

&lt;p&gt;The Honest Caveat&lt;br&gt;
I want to be careful here, because this is a manifesto and not a victory lap. The human-like signatures I'm describing are a feature of this moment. They exist because current models are so heavily shaped by human training data. As models are increasingly trained on synthetic data, on their own outputs, on machine-generated reasoning, those signatures won't disappear but they will change. The tells will still be there. They'll just be different tells, and reading them will require a different eye.&lt;/p&gt;

&lt;p&gt;That evolution is its own subject, and I'll take it up in a separate piece, because it deserves more than a closing paragraph. For now the point stands: the window in which AI adversaries behave in recognizably human ways is open, and it is exactly the window in which HUMINT-trained analysts have a natural advantage that most of the security industry is not yet using.&lt;/p&gt;

&lt;p&gt;Why This Should Be On Your Radar&lt;br&gt;
The industry's instinct, faced with AI-driven attacks, is to reach for more automation better classifiers, faster detection, AI defending against AI. That's necessary, and I'm not arguing against it. But it's incomplete. An autonomous adversary is still an adversary with behavior, and behavior is the oldest intelligence discipline there is.&lt;/p&gt;

&lt;p&gt;The threshold has been crossed. The signals point to more, not less. And the operator model that worries me most one person, one offline model, one brief connection — is precisely the kind of low-footprint threat that signature-based, infrastructure-based detection is worst at catching and behavioral analysis is best at.&lt;/p&gt;

&lt;p&gt;That's the case for sHUMINT. Not as a replacement for technical defense, but as the layer that treats the machine as what it currently is: an actor trained by humans, still carrying their fingerprints, and therefore still readable by anyone who knows how to read people.&lt;/p&gt;

&lt;p&gt;Disclaimer: This article is provided for educational and situational-awareness purposes only. It reflects the author's independent analytical assessment alongside open-source, publicly reported research (TLP:CLEAR). Forecasts and confidence levels represent the author's professional judgment analytical projections, not statements of established fact. This piece does not name or accuse any specific individual, group, or nationality of wrongdoing beyond what is already a matter of public record, and provides no technical instructions, methods, configurations, or guidance for building AI systems, evading attribution, or conducting intrusion or fraud of any kind. All external findings are drawn from and attributable to third-party public reporting; no proprietary, classified, or non-public information is disclosed. The views expressed are the author's own and do not constitute legal advice.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>ai</category>
      <category>webdev</category>
      <category>eu</category>
    </item>
    <item>
      <title>How Dark Web Services Are Reshaping Cognitive Warfare - Part Three</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Wed, 08 Jul 2026 07:06:45 +0000</pubDate>
      <link>https://dev.to/aetherintel/how-dark-web-services-are-reshaping-cognitive-warfare-part-three-19no</link>
      <guid>https://dev.to/aetherintel/how-dark-web-services-are-reshaping-cognitive-warfare-part-three-19no</guid>
      <description>&lt;p&gt;You Are Already In It: How Cognitive Warfare Reaches Ordinary People And Where the Dark Web Quietly Feeds It&lt;br&gt;
Part three of the Cognitive Warfare series. Part one mapped the convergence of influence operations and the underground economy. Part two forecast where the next wave lands first the Eastern Flank. This piece brings it down to the level that actually matters: your feed, your family, the people you know. This is not the last installment; the series continues next month.&lt;/p&gt;

&lt;p&gt;The first two parts of this series operated at altitude supply chains, state-aligned actors, forecast tempo. This one comes down to ground level, because that's where cognitive warfare actually lives. Not in a briefing room. In a phone held by someone scrolling before bed.&lt;/p&gt;

&lt;p&gt;Here is the uncomfortable truth I've arrived at after monitoring this region for years: almost everyone on the Eastern Flank at least everyone in the environments I watch is exposed to cognitive warfare, and almost none of them know it. It doesn't feel like being attacked. It feels like watching a video. That's the entire point.&lt;/p&gt;

&lt;p&gt;The Feed Is the Battlefield&lt;br&gt;
Cognitive warfare found its ideal delivery system in the short-video platforms TikTok, Instagram, Facebook because those platforms are built to reward exactly what an influence operation needs: emotional content, fast sharing, and an algorithm that doesn't care whether something is true, only whether it holds attention. An operation doesn't have to defeat your judgment. It has to reach you before your judgment engages, and the feed is engineered to deliver content in precisely that pre-judgment window.&lt;/p&gt;

&lt;p&gt;This is why the old mental model of "propaganda" fails people. Most of us picture a hostile broadcast, an obvious enemy voice we can identify and dismiss. What actually reaches you looks like a neighbor's repost. It looks like a concerned local voice. It looks like someone in your own community who is genuinely upset. And that appearance is not an accident it's the mechanism.&lt;/p&gt;

&lt;p&gt;The People Spreading It Mostly Aren't Agents&lt;br&gt;
This is the part that most coverage of disinformation gets wrong, and it's the heart of what I want you to take from this piece.&lt;/p&gt;

&lt;p&gt;The overwhelming majority of people amplifying an influence operation are not paid, not recruited, and not aware. They are ordinary people who genuinely believe what they're sharing. Someone builds a piece of AI-generated content designed to trigger fear or outrage, releases it into a few seeded channels, and from that point forward the operation largely runs itself because real people, moving in good faith, pick it up and pass it on. They're not lying. They think it's true. They've become unwitting distributors, and they'd be offended if you told them so.&lt;/p&gt;

&lt;p&gt;This is the genius and the cruelty of the modern model. In the version I watched form a decade ago, an operator needed a network of controlled accounts to push a narrative. Today, a state-aligned actor only needs to launch a handful of well-crafted seed campaigns. The targeted population already primed by economic anxiety, already inclined to distrust institutions does the rest of the distribution for free, at a scale no troll farm could match, and with a credibility no paid account could buy. A message from a stranger who works for a foreign government is easy to dismiss. The same message from your cousin, who truly believes it, is not.&lt;/p&gt;

&lt;p&gt;The structural logic is brutal: the operation succeeds precisely by turning its victims into its distribution network. The people spreading it aren't collaborators. They're casualties who feel like participants.&lt;/p&gt;

&lt;p&gt;Where the Dark Web Actually Connects — Tier 1&lt;br&gt;
Now the part that ties this back to the underground thread running through the whole series but I want to be precise about it, because the connection is real without being what most people imagine.&lt;/p&gt;

&lt;p&gt;The dark web link here sits at what I'd call Tier 1: the acquisition layer. The state-aligned groups running these campaigns generally don't do their own hacking. This is partly capability and partly self-image many of these groups see themselves as operators, strategists, information warriors, and regard hands-on intrusion as beneath them, the work of "mere" criminals. So instead of breaking in, they buy. And what they buy is available, commoditized, and cheap on the same markets, forums, and Telegram channels I described in part one:&lt;/p&gt;

&lt;p&gt;Aged social media accounts — established Instagram, TikTok, and Facebook profiles with real posting history and follower bases, purchased in bulk so a campaign launches from accounts that already look human and local rather than freshly created and suspicious.&lt;br&gt;
Payment and monetization accounts — verified Payment Accounts and similar accounts used to fund advertising, boost posts, or move money for the operation without tying it back to origin.&lt;br&gt;
Fullz and identity sets — complete personal-data packages used to age, verify, or "back" synthetic personas so they survive platform scrutiny.&lt;br&gt;
VoIP and phone-verification accounts — used to pass the SMS/phone checks that platforms rely on, and to enable the spear-phishing side of an operation when a campaign needs to compromise a specific person rather than just influence a crowd.&lt;/p&gt;

&lt;p&gt;None of this is exotic tradecraft. That's the point. The acquisition layer for a national-scale influence operation is a shopping trip through infrastructure that already exists to serve ordinary cybercrime. The groups don't build it, don't steal it themselves, and don't consider themselves criminals for buying it. They see it as procurement. The underground is simply their supplier.&lt;/p&gt;

&lt;p&gt;I'm describing the shape of this ecosystem, not a manual for it the categories are well-documented across public threat-intelligence reporting, and knowing they exist is what lets you understand why a "grassroots" campaign can look so convincingly authentic. The authenticity was purchased.&lt;/p&gt;

&lt;p&gt;What This Means For You, Specifically&lt;br&gt;
The individual incidents don't matter as much as the shift in your relationship to your own information environment. Three things worth internalizing:&lt;/p&gt;

&lt;p&gt;The content designed to move you will not announce itself as foreign, hostile, or coordinated. It will arrive wearing the face of your own community, because it's being carried the last mile by people in your own community who believe it. Distrusting your neighbor is not the answer but neither is assuming that emotional certainty equals truth.&lt;/p&gt;

&lt;p&gt;The people around you who share this material are not the enemy and shouldn't be treated as one. They've been used, and treating them with contempt only deepens the polarization that the operation was designed to create in the first place. The correct response to a family member sharing a manufactured fear is not humiliation; it's a genuine question about where something came from.&lt;/p&gt;

&lt;p&gt;And the tell is almost always emotional, not factual. Cognitive warfare works by producing a feeling fear, outrage, hopelessness, contempt faster than it produces a checkable claim. If a piece of content makes you feel certain and furious within three seconds, that reaction is the product. That's the moment to slow down, not to share.&lt;/p&gt;

&lt;p&gt;Closing This Chapter, Not the Series&lt;br&gt;
The through-line of these three parts has been a single argument: cognitive warfare and the underground economy have merged, that merger is being aimed at the Eastern Flank first, and it reaches ordinary people through their own feeds and their own trusted relationships funded quietly by an acquisition layer bought off the dark web.&lt;/p&gt;

&lt;p&gt;The doctrine I watched form a decade ago was patient and centralized. Now it's fast, cheap, and distributed across millions of well-meaning people who have no idea they're carrying it. That's not a reason for paranoia. It's a reason for a small, permanent habit: to notice when something is trying to make you feel before it lets you think.&lt;/p&gt;

&lt;p&gt;I'll pick the series back up next month, going deeper on the defensive side what individuals, communities, and organizations can actually do to raise the cost of these operations and blunt their reach.&lt;/p&gt;

&lt;p&gt;Disclaimer: This article is provided for educational and situational-awareness purposes only. It reflects the author's independent analytical assessment alongside open-source, publicly reported research (TLP:CLEAR). It does not name or accuse any specific state, government, nationality, organization, or individual of wrongdoing, and attributes no activity to any named party. Descriptions of underground-market categories are provided at a general, awareness-level of detail only; nothing in this piece constitutes technical instruction, operational guidance, or a how-to for acquiring illicit goods or services or for conducting intrusion, fraud, or influence operations — no sources, methods, vendors, prices, or identifiers are provided. All external findings are drawn from and attributable to third-party public research; no proprietary, classified, or non-public information is disclosed. The views expressed are the author's own and do not constitute legal advice.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>ai</category>
      <category>webdev</category>
      <category>eu</category>
    </item>
    <item>
      <title>How Dark Web Services Are Reshaping Cognitive Warfare - Part Two</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Mon, 06 Jul 2026 09:33:54 +0000</pubDate>
      <link>https://dev.to/aetherintel/how-dark-web-services-are-reshaping-cognitive-warfare-part-two-216g</link>
      <guid>https://dev.to/aetherintel/how-dark-web-services-are-reshaping-cognitive-warfare-part-two-216g</guid>
      <description>&lt;p&gt;The Soft Target: Why Eastern Europe Is the Testing Ground for the Next Wave of Cognitive Warfare&lt;br&gt;
Part two of the Cognitive Warfare series. Part one, "The Same War, A Faster Engine," argued that influence operations and the dark web underground have merged into one supply chain. This piece is a forecast: who gets hit first, why now, and what the tooling from part one makes possible.&lt;/p&gt;

&lt;p&gt;In part one I described the convergence how cognitive warfare stopped being a separate discipline from cybercrime and started drawing from the same underground marketplace of AI tooling, synthetic identity, and rented infrastructure. This piece is the uncomfortable follow-on. That convergence doesn't get deployed evenly. It gets deployed where it works best first. And right now, the place it works best is the Eastern Flank.&lt;/p&gt;

&lt;p&gt;I first watched cognitive warfare take shape from the inside, between 2014 and 2016, when I had direct contact with the actors building out hybrid-warfare and PsyOps ecosystems on the Eastern Flank. Back then the toolkit was slow and labor-intensive: manually run sockpuppet farms, forum seeding done by hand, narrative testing that took weeks to show results, and recruitment that depended on patient, one-to-one grooming inside underground communities. The strategic logic divide, confuse, exhaust, delegitimize was already fully formed. What has changed since is not the doctrine. It's the engine.&lt;/p&gt;

&lt;p&gt;This is my assessment, not a settled fact, so I'll state it plainly and with my confidence level attached: I assess with moderate-to-high confidence that hostile state-aligned influence activity targeting Eastern Europe will rise by roughly 50–60% in tempo through late 2026 and into 2027, with a distinct escalation beginning around Q4 2026. I'll explain the reasoning rather than ask you to take the number on faith a forecast you can't interrogate is just a guess with a decimal point.&lt;/p&gt;

&lt;p&gt;Why the East, and Why Now&lt;br&gt;
Cognitive warfare is opportunistic. It doesn't pick fights it might lose; it picks the softest available surface and pushes. Several conditions are lining up in Eastern Europe at the same time, and hostile actors read those conditions the same way I do.&lt;/p&gt;

&lt;p&gt;The calendar is crowded. A dense run of elections across Central and Eastern Europe through 2026 and 2027 gives hostile actors a series of scheduled, high-value targets. Independent European analysis has flagged that interference efforts in this cycle are expected to lean heavily on large-scale disinformation, platform manipulation, and cyber operations aimed at political actors and electoral infrastructure. Elections are not just democratic events; they are windows where a population is already primed to argue, already saturated with political messaging, and therefore already harder to protect. Narrative seeding for these operations typically starts six to twelve months ahead of a vote which is precisely why a Q4 2026 escalation makes sense as a launch window for cycles landing in 2027.&lt;/p&gt;

&lt;p&gt;The economic ground is soft. Inflation across several Central and Eastern European economies remains above target, wage and price pressures are elevated, and an energy shock has pushed growth forecasts down while driving costs up. Public spending demands pensions, healthcare, defense are rising against limited fiscal room. In at least three countries in the region, pension increases can't keep pace with the cost of living, and that gap is not an abstract statistic. It is a lever. Economic anxiety is the single most reliable emotional fuel for influence operations, because a person worried about heating their home in winter is a person whose attention and trust are cheap to buy.&lt;/p&gt;

&lt;p&gt;The population is under-defended. This is the part that matters most and gets discussed least. Post-communist societies in Europe's periphery have relatively shallow institutional trust and, in many places, low media-literacy infrastructure compared to Western Europe. Analysts have long noted that vote-manipulation and disinformation tactics are most effective exactly in these environments, where democratic roots are newer and the reflex to interrogate a suspicious claim is less developed. When most of a population hasn't been trained to recognize a manufactured narrative, the narrative doesn't need to be sophisticated. It just needs to arrive.&lt;/p&gt;

&lt;p&gt;The elderly are a specific, deliberate target. Older populations skew toward higher trust in traditional-looking media formats, lower fluency with synthetic-content detection, and — in economically squeezed regions acute personal grievance over pensions and healthcare. That combination makes them the highest-yield demographic for a certain class of operation: pension scaremongering, healthcare-collapse narratives, and "the system has abandoned you" messaging that converts economic pain into political distrust. This is not incidental targeting. It is demographic selection based on susceptibility.&lt;/p&gt;

&lt;p&gt;Why This Wave Looks Different From 2016&lt;br&gt;
I watched the early version of this from the inside a decade ago. What made the old model manageable was its cost. Running a convincing influence operation used to require real people, real time, and real language skill. Those constraints acted as natural throttles.&lt;/p&gt;

&lt;p&gt;The tooling described in part one removes those throttles, and it does so using infrastructure bought, rented, or built on the dark web and underground channels rather than developed in-house. That's the connective tissue between the two pieces: a state-aligned operation preparing for the Eastern Flank in Q4 2026 no longer needs to stand up its own capability from scratch. It can source large parts of the operation synthetic personas, AI-generated regional-language content, spoofed local-news infrastructure, amplification networks — from the same marketplace that sells ransomware kits and phishing subscriptions.&lt;/p&gt;

&lt;p&gt;The commercial disinformation market is now mature enough to price this openly. Network-analysis researchers identified well over a hundred commercial disinformation providers operating across dozens of countries as of early 2026, selling everything from bot networks to deepfake video production, with sustained cross-platform election-cycle campaigns priced in the low-to-mid six figures. That is a rounding error in a state budget. The barrier to entry for cognitive warfare, as I argued in part one, has collapsed and Eastern Europe is where that collapsed cost meets the softest available target.&lt;/p&gt;

&lt;p&gt;There's a second difference worth naming. This next wave is, in part, a test. Hostile actors use the Eastern Flank as a proving ground precisely because it's forgiving a place to test narrative payloads, measure response times, and calibrate which techniques survive contact with local defenses before those same techniques get pointed at harder Western targets later. When you see a crude-looking operation in the region and think "that would never work here," you may be watching a rehearsal, not the performance.&lt;/p&gt;

&lt;p&gt;What the Escalation Actually Looks Like&lt;br&gt;
I don't expect the Q4 2026 escalation to announce itself. Cognitive warfare's whole advantage is that it stays below the threshold that would trigger a hard response. What I'd expect to see instead, in rough order:&lt;/p&gt;

&lt;p&gt;The quiet phase comes first narrative seeding through accounts and outlets that look organic and local, introducing wedge themes around pensions, energy costs, migration, and national sovereignty months before any vote. Then amplification, as AI-run persona networks (the tireless "spotters" and boosters I described in the companion piece on recruitment) inflate those narratives to look like genuine grassroots sentiment. Then the synthetic-media layer — cloned voices of local figures, spoofed regional news sites, fabricated "leaked" documents — timed to land when verification is slowest and emotion is highest. And underneath all of it, the same rented underground infrastructure doing the unglamorous work of hosting, spoofing, and laundering attribution.&lt;/p&gt;

&lt;p&gt;None of these stages is new. What's new is that all of them are now cheap, fast, and available to buy and that they're being aimed at a region that is, right now, unusually easy to move.&lt;/p&gt;

&lt;p&gt;Why You Should Take the Forecast Seriously&lt;br&gt;
Three things make this more than routine threat-inflation:&lt;/p&gt;

&lt;p&gt;The vulnerability is structural, not temporary. Economic strain, crowded elections, thin media-literacy infrastructure, and a susceptible elderly demographic aren't a passing alignment they're the standing condition of the region going into 2027. The window doesn't close after one election.&lt;br&gt;
The cost asymmetry favors the attacker permanently now. When a six-figure campaign can be assembled from off-the-shelf underground components, defending costs far more than attacking. That math doesn't reverse on its own.&lt;br&gt;
The test-bed dynamic means the region's problem is everyone's problem. Techniques proven on the Eastern Flank don't stay there. What works in a low-defense environment gets refined and exported to higher-defense ones. Watching this region closely isn't regional charity; it's early warning for everyone else.&lt;/p&gt;

&lt;p&gt;The doctrine hasn't changed since I first saw it form. The targets, the timing, and the tooling have. Eastern Europe is where the next version gets tested and the honest reason it gets tested there first is that, right now, it's the place most likely to work.&lt;/p&gt;

&lt;p&gt;Part three will look at what actually raises the cost for the attacker the detection and resilience measures that survive contact with this tooling, and the ones that don't.&lt;/p&gt;

&lt;p&gt;Disclaimer: This article is provided for educational and situational-awareness purposes only. It reflects the author's independent analytical assessment alongside open-source, publicly reported research (TLP:CLEAR). Forecasts, tempo estimates, and timing windows represent the author's professional judgment with stated confidence levels they are analytical projections, not statements of established fact, and should not be read as predictions of any specific event. This piece does not name or accuse any specific state, government, nationality, organization, or individual of wrongdoing, and attributes no activity to any named party. Nothing here constitutes technical instruction, operational guidance, or a how-to for conducting intrusion, fraud, or influence operations no methods, code, configurations, or vendor identifiers are provided. All external findings are drawn from and attributable to third-party public research; no proprietary, classified, or non-public information is disclosed. The views expressed are the author's own and do not constitute legal, financial, or political advice.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>webdev</category>
      <category>eu</category>
    </item>
    <item>
      <title>How Dark Web Services Are Reshaping Cognitive Warfare</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Fri, 03 Jul 2026 06:57:09 +0000</pubDate>
      <link>https://dev.to/aetherintel/how-dark-web-services-are-reshaping-cognitive-warfare-c10</link>
      <guid>https://dev.to/aetherintel/how-dark-web-services-are-reshaping-cognitive-warfare-c10</guid>
      <description>&lt;p&gt;It took me a few months to write the articles in Cognitive Warfare articles , The most important link, the one with dark web services and threat actors from tor/telegram/underground(clear-net) . This article is the first of Cognitive Warfare series… and I hope i will bring the focus on this now when isnt so big on threat landscape (until isnt to late)… to few companies/researchers are focus on this the connection betwen Human Behavior,Cognitive Warfare,Influence Ops, dark net-telegram,underground.&lt;/p&gt;

&lt;p&gt;I first watched cognitive warfare take shape from the inside, between 2014 and 2016, when I had direct contact with the actors building out hybrid-warfare and PsyOps ecosystems on the Eastern Flank. Back then the toolkit was slow and labor-intensive: manually run sockpuppet farms, forum seeding done by hand, narrative testing that took weeks to show results, and recruitment that depended on patient, one-to-one grooming inside underground communities. The strategic logic divide, confuse, exhaust, delegitimize was already fully formed. What has changed since is not the doctrine. It’s the engine.&lt;/p&gt;

&lt;p&gt;Ten years later, the same category of actors is running the same playbook, except now the manual bottlenecks are gone. AI didn’t invent cognitive warfare. It industrialized it, and it did so by fusing directly with the dark web and underground services economy that criminal actors had already built for profit.&lt;/p&gt;

&lt;p&gt;Where the Threads Meet&lt;/p&gt;

&lt;p&gt;Cognitive warfare and cybercrime used to be treated as separate disciplines one concerned with narratives and perception, the other with intrusion and monetization. That separation no longer holds. The underground now functions as a shared supply chain for both.&lt;/p&gt;

&lt;p&gt;Group-IB’s 2026 threat research documents a 371% surge in dark web forum posts referencing AI since 2019, with replies up nearly twelvefold. The offerings split into three buckets: proprietary “Dark LLMs” stripped of guardrails, jailbreak-framework services sold as reusable templates, and malware or tooling generation. None of this is exotic anymore subscriptions to uncensored criminal AI models run $30–200 a month with customer bases exceeding a thousand users per vendor. A tool like DIG AI, accessible through Tor with no registration, can generate malware, scam scripts, and propaganda content on demand, explicitly designed to bypass the moderation layers built into mainstream models.&lt;/p&gt;

&lt;p&gt;That last detail matters more than it looks. Influence operations and cybercrime infrastructure are now built on the same commodity tooling, sold through the same channels, to the same buyer pool.&lt;/p&gt;

&lt;p&gt;Recruitment: From Patient Grooming to Automated Sourcing&lt;/p&gt;

&lt;p&gt;In 2014–2016, building a network of operators whether for narrative amplification or technical intrusion meant identifying people inside forums, testing their reliability, and slow-walking trust. It was HUMINT tradecraft, full stop.&lt;/p&gt;

&lt;p&gt;The recruitment layer has since moved largely onto Telegram, which by 2026 functions as the connective tissue linking access brokers, ransomware affiliates, malware vendors, and leak channels into one operational environment. Ransomware groups post affiliate terms publicly the RaaS group “The Gentlemen” grew into the second-most-active ransomware operation of 2026 partly by offering a 90/10 revenue split to attract experienced operators away from competing programs. Hacktivist collectives with documented state-aligned sympathies use the same channels to recruit participants, coordinate DDoS campaigns, and distribute propaganda in the same breath. The line between “hire a hacker” and “recruit an influence operator” has effectively collapsed into a single Telegram storefront.&lt;/p&gt;

&lt;p&gt;What used to require weeks of vetting now happens through a public post and a commission structure.&lt;/p&gt;

&lt;p&gt;The As-a-Service Layer: Buying Capability Instead of Building It&lt;/p&gt;

&lt;p&gt;This is where the operational shift is sharpest, and it maps directly onto what you’d expect from an industrialized underground:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Ransomware-as-a-Service (RaaS) — turnkey lockers, affiliate panels, and negotiation infrastructure, rented rather than built. The barrier to running a ransomware campaign is now a payment, not a skill set.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Download the Medium App&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Phishing-as-a-Service (PhaaS) — platforms such as Darcula and Lucid have impersonated 200+ organizations across a hundred-plus countries and operate across iMessage and RCS at global scale, all sold as subscription products. A law-enforcement takedown this year of one such operation, “Outsider Enterprise,” linked it to over a million fraudulent URLs and roughly $1.9 billion in losses.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Hacking-as-a-Service / access brokerage — initial access to corporate VPNs, RDP servers, and domain credentials is sold with proof-of-compromise screenshots attached, the same way a legitimate vendor would attach a product spec sheet.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Deepfake-as-a-service — synthetic identity kits, cloned voices, and even biometric datasets are advertised for as little as $5, built from as little as ten seconds of scraped audio.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Every one of these categories is bundled and cross-sold on the same forums and Telegram channels. A buyer doesn’t need to be a hacker, a forger, or a propagandist. They need a budget and a Telegram handle.&lt;/p&gt;

&lt;p&gt;What AI Actually Changed&lt;/p&gt;

&lt;p&gt;The doctrine I watched form in 2014–2016 hasn’t moved. What AI changed is throughput, personalization, and deniability the three variables that used to be cognitive warfare’s real bottleneck.&lt;/p&gt;

&lt;p&gt;Phishing and social engineering no longer carry the tells that used to make them spottable. Academic researchers testing LLM-generated phishing content found it grammatically sound, contextually coherent, and linguistically natural — controlled studies now show AI-generated phishing matches or exceeds human-crafted phishing in effectiveness, while collapsing the skill and time an attacker needs to nearly zero. Industry data from 2025 put AI-supported social engineering above 80% of observed cases.&lt;/p&gt;

&lt;p&gt;Voice and video impersonation turned a scarce, high-skill capability into a commodity. Ten seconds of audio pulled from a webinar, a podcast, or a social clip is now enough to clone a voice convincingly. Group-IB tracked a 52% year-on-year increase in unique dark-web actors trading in deepfake/KYC-bypass material.&lt;/p&gt;

&lt;p&gt;Site and infrastructure generation used to require a developer. Now AI can stand up a convincing spoofed login page or MITM relay from a prompt, at a speed and volume that makes takedown-and-whack-a-mole defense structurally unwinnable — the same phishing operation dismantled this year had registered over 9,000 fake websites.&lt;/p&gt;

&lt;p&gt;Attribution and deniability improved for the operator, not the defender. Dark LLMs with no ethical restrictions let a state-aligned actor or a purely criminal one produce identical-looking output, deepening the plausible-deniability layer that hybrid warfare has always depended on. State-aligned operators increasingly route through ransomware crews and hacktivist fronts specifically because it blurs the line between espionage, crime, and propaganda — one advisory this year describing a state-aligned actor using Telegram-controlled botnets to scale operations is one visible thread of a pattern that’s mostly invisible.&lt;/p&gt;

&lt;p&gt;Why This Should Worry You More Than the Individual Incidents&lt;/p&gt;

&lt;p&gt;None of the pieces above are new in isolation. What’s new and what I didn’t see coming with this much force back in 2014 is the convergence. The underground stopped being a place where you found either criminal tooling or influence-operation support. It’s now a single marketplace serving both missions with the same products, because the technical substrate (AI-generated content, synthetic identity, automated infrastructure) is identical whether the objective is a ransom payment or a destabilized electorate.&lt;/p&gt;

&lt;p&gt;That convergence has three consequences worth sitting with:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;The cost of entry for cognitive warfare has collapsed. A state actor no longer needs a dedicated troll farm. It needs a Telegram account and a subscription.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Attribution is getting structurally harder, not just tactically harder. When criminal RaaS affiliates, hacktivist fronts, and state operators draw from the same AI tooling and the same recruitment channels, distinguishing “crime” from “warfare” becomes a judgment call rather than a technical finding.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Detection built for the old signatures is aging out in real time. Defenses tuned to catch bad grammar, robotic voices, or slow-built sockpuppet histories are being outrun by tooling that removes exactly those tells. The gap isn’t awareness — most of the industry now knows this is happening. The gap is that the defensive tooling and the regulatory response are still catching up to an offense that reorganizes itself on Telegram in the time it takes a channel to get banned and reborn.&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The doctrine I saw form a decade ago was patient and manpower-limited. It no longer is. That’s the part worth taking seriously — not because the intent behind cognitive warfare changed, but because the underground economy handed it an engine built for scale.&lt;/p&gt;

&lt;p&gt;Disclaimer: This article is provided for educational and situational-awareness purposes only. It reflects open-source analysis and publicly reported research (TLP:CLEAR), does not name or accuse any specific state, government, or nationality of wrongdoing, and does not attribute any activity to a named individual, organization, or country. Nothing in this piece constitutes technical instruction, operational guidance, or a how-to for conducting intrusion, fraud, phishing, or influence operations — no methods, code, prompts, configurations, or vendor/market identifiers are provided. All findings are drawn from and attributed to third-party, publicly available security research; no proprietary, classified, or non-public information is disclosed. The views expressed are the author’s own analytical assessment and do not constitute legal advice.&lt;/p&gt;

</description>
      <category>cybersecurity</category>
      <category>ai</category>
      <category>cryptocurrency</category>
      <category>webdev</category>
    </item>
    <item>
      <title>The same 5 signals that preceded every major attack wave since 2012 are all active right now</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Wed, 01 Jul 2026 05:18:16 +0000</pubDate>
      <link>https://dev.to/aetherintel/the-same-5-signals-that-preceded-every-major-attack-wave-since-2012-are-all-active-right-now-302n</link>
      <guid>https://dev.to/aetherintel/the-same-5-signals-that-preceded-every-major-attack-wave-since-2012-are-all-active-right-now-302n</guid>
      <description>&lt;p&gt;&lt;em&gt;What I’m seeing right now on the dark web tells me the next major attack wave is not a question of if. It is a question of how ready you are when it arrives.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;I monitor dark web/underground ecosystems for a living. I have been doing it for nearly two decades. What I am going to describe in this article is not a forecast based on trend extrapolation or vendor data. It is based on what I am watching happen right now this week, this month inside the underground communities where tomorrow’s attacks are being planned, staffed, and tooled.&lt;/p&gt;

&lt;p&gt;The short version: the conditions for a significant surge in cyberattacks targeting both corporate revenue and critical infrastructure are converging toward Q1 2027. The workforce is being recruited now. The tools are being built now. The economic pressures driving the recruitment are intensifying, not easing. And AI is making the entire pipeline faster, cheaper, and accessible to people who would not have qualified as threat actors twelve months ago.&lt;/p&gt;

&lt;p&gt;Here is what that looks like from the inside.&lt;/p&gt;

&lt;p&gt;New groups are forming every week&lt;/p&gt;

&lt;p&gt;Over the past two weeks alone, on just two forums that I monitor directly, I have observed multiple new criminal groups either forming from scratch or actively recruiting to expand. These are not established operations adding a few members. These are new entities new names, new channels, new recruitment threads appearing at a rate that is meaningfully higher than what I have observed at any point in the past several years.&lt;/p&gt;

&lt;p&gt;The groups are forming predominantly from individuals based in Eastern Europe, but they are not operating regionally. They are building distributed teams across multiple continents. The operational structure is global from day one. A recruiter in one country, a developer in another, an access broker in a third, a money-laundering channel in a fourth. The groups are born international because the tools and platforms they useencrypted messaging, cryptocurrency, dark web forums make geography irrelevant to operational structure.&lt;/p&gt;

&lt;p&gt;This is not a blip. Every week I check, there are new groups. Every week, the recruitment threads have more responses. The underground labour market is growing because demand for what it produces access, tools, and operational capability is growing.&lt;/p&gt;

&lt;p&gt;The economic pressure is the driver&lt;/p&gt;

&lt;p&gt;People do not wake up one morning and decide to become cybercriminals. They arrive there through a sequence of economic calculations, each one small and each one rational within its own frame. The sequence starts with financial pressure wages that do not cover expenses, opportunities that do not materialise, a gap between what a person can earn legitimately and what they need to survive or to achieve the standard of living they believe they deserve.&lt;/p&gt;

&lt;p&gt;That financial pressure is intensifying across multiple regions right now. Economic disruption driven by geopolitical instability collapsing commodity revenues in states that depend on energy exports, sanctions-driven contraction in economies adjacent to conflict zones, inflationary pressure in developing economies is producing a generation of technically literate young people with skills, internet access, and no legitimate path to the income they want.&lt;/p&gt;

&lt;p&gt;The underground is where those skills find a market. The groups forming right now are not staffed by career criminals with decades of dark web history. They are staffed by people who crossed the line recently pushed by economic circumstances that make the risk calculus of cybercrime look rational. They are willing to take risks that established actors would not, because established actors have something to protect and these new entrants do not. They are more reckless, more aggressive, and more willing to target high-value infrastructure because the potential payout justifies the risk in their calculation.&lt;/p&gt;

&lt;p&gt;When economic pressure increases, the underground labour supply increases. When the labour supply increases, the operational output increases. When the operational output increases, your company is more likely to be targeted. The chain is direct and observable.&lt;/p&gt;

&lt;p&gt;AI is the accelerant&lt;/p&gt;

&lt;p&gt;Every observation I have made about the underground over the past year comes back to the same structural shift: AI has lowered the barrier to entry for offensive cyber operations in a way that is difficult to overstate.&lt;/p&gt;

&lt;p&gt;Twelve months ago, launching a credible attack against a well-defended corporate target required genuine technical expertise the kind of expertise that takes years to develop and that naturally limited the pool of capable threat actors. Today, AI tools can generate phishing content that is contextually convincing in any language, produce malware variants that evade signature-based detection, automate vulnerability scanning at a speed that manual operators cannot match, and assist in lateral movement decisions that previously required experienced human judgment.&lt;/p&gt;

&lt;p&gt;Become a Medium member&lt;br&gt;
The new recruits I observe entering the underground are not experts. Many of them would have failed the vetting tests that established groups administer except that they are using AI to pass those tests. They arrive in the ecosystem with AI-augmented capability that exceeds their actual skill level. Their OPSEC is weak because they do not understand the tools they are using at a fundamental level. But their operational capability is sufficient to cause serious damage, because the tools do not require deep understanding to produce results.&lt;/p&gt;

&lt;p&gt;This is the AI-assisted mediocrity problem, and it is the single most important shift in the threat landscape right now. The previous generation of threat actors was small and skilled. The next generation will be large and adequate. Adequate is enough to breach a network, encrypt critical systems, exfiltrate data, and demand ransom. The damage is the same whether the attacker is an expert or an AI-assisted beginner. The difference is that there will be far more of them.&lt;/p&gt;

&lt;p&gt;Why Q1 2027 specifically&lt;/p&gt;

&lt;p&gt;The timeline is not arbitrary. It follows from the recruitment-to-deployment cycle that I have observed consistently across the ecosystems I monitor.&lt;/p&gt;

&lt;p&gt;The groups recruiting now in June and July 2026 will spend the next three to six months building capability: assembling teams, acquiring tools, purchasing access from initial-access brokers, testing their operational workflows, and selecting targets. The operational output of this recruitment wave will begin appearing in Q4 2026 and will reach full volume in Q1 2027.&lt;/p&gt;

&lt;p&gt;Simultaneously, the geopolitical pressures driving the recruitment are not easing. Energy-dependent economies facing revenue collapse are producing more economic pressure, which produces more underground labour supply, which produces more operational capability. The cycle is self-reinforcing. Each quarter’s economic pressure funds the next quarter’s recruitment, and each quarter’s recruitment funds the following quarter’s attack volume.&lt;/p&gt;

&lt;p&gt;The attack increase data supports this trajectory. Credible industry reporting indicates a 40–50% increase in attacks in 2025 over the prior year. Based on what I observe in the underground right now, 2026 is on track for a 60–80% increase. And the recruitment wave currently underway suggests that Q1 2027 through mid-2028 will see a further acceleration driven by the largest cohort of new threat actors to enter the ecosystem in a single cycle.&lt;/p&gt;

&lt;h2&gt;
  
  
  What companies and critical infrastructure operators should be doing right now
&lt;/h2&gt;

&lt;p&gt;The window for preparation is the next six months. After that, the wave arrives and the question shifts from prevention to response.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Invest in primary-source intelligence.&lt;/em&gt; Threat feeds and SIEM alerts tell you what happened yesterday. Understanding what is being built in the underground right now which groups are forming, what tools they are acquiring, what targets they are discussing tells you what will happen next quarter. The gap between reactive and proactive intelligence is the gap between paying ransom and preventing the breach.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Hire people who think like attackers.&lt;/strong&gt; The security industry is full of talented technical professionals who excel at defence. What most teams lack is someone who can stand in the attacker’s shoes who can look at your infrastructure the way a threat actor would and identify the path of least resistance before the attacker finds it. This requires adversarial imagination, not just technical skill.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Accept that AI has changed the threat model.&lt;/strong&gt; Your defences were designed for a world where capable attackers were rare and unskilled attackers were not dangerous. That world no longer exists. AI has created a middle category adequately skilled attackers in large numbers — and your detection, response, and recovery capabilities need to be calibrated for volume, not just sophistication.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Stress-test your critical infrastructure dependencies.&lt;/strong&gt; The groups I observe forming right now are not all targeting corporate data for ransom. Some are explicitly discussing critical infrastructure energy, logistics, communications, financial systems. Whether their motivation is profit, disruption, or alignment with state interests they may not even fully understand, the targeting is real and the capability is being assembled now.&lt;/p&gt;

&lt;p&gt;The uncomfortable truth&lt;/p&gt;

&lt;p&gt;The cybersecurity industry has spent two decades building defences optimised for a threat landscape that is about to change structurally. The change is not theoretical. It is observable. I can see the groups forming. I can see the recruits arriving. I can see the tools being built. I can see the access being purchased. The pipeline is full, and it is flowing toward Q1 2027.&lt;/p&gt;

&lt;p&gt;React later, pay more. See it now, prevent it.&lt;/p&gt;

&lt;p&gt;The next six months are the preparation window. What companies and infrastructure operators do in this window will determine whether Q1 2027 is a crisis they managed or a crisis that managed them.&lt;/p&gt;

&lt;p&gt;Adrian Alexandru is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania, specialising in dark web HUMINT, behavioural threat actor profiling, and adversarial infrastructure analysis. He publishes open intelligence research at &lt;a href="https://aether-intel.com" rel="noopener noreferrer"&gt;https://aether-intel.com&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This article is based on direct observation of underground ecosystems. No specific forums or channels are identified by name. No classified intelligence is cited or implied.*&lt;/p&gt;

&lt;h1&gt;
  
  
  CyberSecurity #ThreatIntelligence #DarkWeb #HUMINT #Ransomware #CriticalInfrastructure #CISO #InfoSec #CyberThreats #AI #ThreatActors #OSINT #RiskManagement #IncidentResponse
&lt;/h1&gt;

</description>
      <category>cybersecurity</category>
      <category>ai</category>
    </item>
    <item>
      <title>Last month I saw something I haven’t seen in 18 years of dark web and underground monitoring.</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Fri, 26 Jun 2026 06:53:03 +0000</pubDate>
      <link>https://dev.to/aetherintel/last-month-i-saw-something-i-havent-seen-in-18-years-of-dark-web-and-underground-monitoring-547c</link>
      <guid>https://dev.to/aetherintel/last-month-i-saw-something-i-havent-seen-in-18-years-of-dark-web-and-underground-monitoring-547c</guid>
      <description>&lt;p&gt;The underground is changing faster than the security industry is adapting. Here’s what nearly two decades of direct monitoring reveals about what’s coming next.&lt;/p&gt;

&lt;p&gt;By Adrian Alexandru — Lead Analyst, Aether Intel (aether-intel.com)&lt;/p&gt;

&lt;p&gt;I have spent nearly two decades monitoring dark web ecosystems not through dashboards, not through vendor feeds, not through scraped data. Through direct, sustained presence inside underground communities, forums, and Telegram channels where threat actors recruit, negotiate, build tools, and plan operations.&lt;/p&gt;

&lt;p&gt;What I saw in the last 30 days is different from anything I have seen in the previous 18 years. Not because any single thing is unprecedented, but because the rate of change has accelerated to a point where the security industry’s standard response cycles are structurally too slow to keep up.&lt;/p&gt;

&lt;p&gt;Here are six observations from June 2026. None of them will show up in your threat feed.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;More new markets than at any point in the last decade
New dark web marketplaces are appearing at a rate I have not seen since the post-Silk Road proliferation era of 2014–2015. The difference is what is powering them.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;In the mid-2010s, launching a dark web marketplace required a team: developers for the platform, someone who understood escrow systems, someone who could set up the hosting,mods, someone who could handle vendor onboarding. The infrastructure barrier was real. Not everyone could clear it, which meant the ecosystem grew at a pace that defenders could roughly track.&lt;/p&gt;

&lt;p&gt;That barrier has collapsed. AI tools now automate the development of marketplace infrastructure storefront generation, escrow logic, vendor verification workflows, even dispute resolution and customer support. What used to take a team of specialists and months of development can now be assembled by a single motivated individual in a weekend.&lt;/p&gt;

&lt;p&gt;The result is a proliferation of markets that is outpacing defenders’ ability to catalogue, monitor, and assess them. Most of these new markets will fail they lack the reputation, the vendor base, and the operational depth of established platforms. But even failed markets cause damage while they operate: they facilitate transactions, they attract opportunistic actors, and they create noise that degrades the signal-to-noise ratio for anyone trying to monitor the ecosystem.&lt;/p&gt;

&lt;p&gt;The structural point is this: AI did not make the dark web more sophisticated. It made the dark web more accessible. And accessibility, at scale, is more dangerous than sophistication.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The old forums got smarter
While new markets proliferate at the low end, established forums and marketplaces at the high end are integrating AI into their own operations — not for offence, but for defence.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;I have observed established platforms deploying AI-driven capabilities across several domains: automated vetting of new vendors to detect law enforcement patterns, behavioural analysis of member activity to identify infiltrators, automated OPSEC auditing of listings to flag operational security failures that could expose the platform, and AI-assisted content moderation that operates at a speed and consistency that human moderators cannot match.&lt;/p&gt;

&lt;p&gt;The irony is sharp. The same AI tools that legitimate companies use for fraud detection and content moderation are being adopted by the underground for exactly the same purposes just aimed in the opposite direction. The forums are using AI to detect the people trying to detect them.&lt;/p&gt;

&lt;p&gt;This creates a capability arms race that most defenders do not yet recognise they are in. The assumption in much of the security industry is that the underground is technically unsophisticated populated by script kiddies and opportunists running tools they do not fully understand. That assumption was already outdated. It is now dangerously wrong. The top-tier forums are running security operations that would be recognisable to any SOC analyst, because they are using the same conceptual framework and, increasingly, the same AI tooling.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The Gentleman and at least five others are recruiting simultaneously
In the past few weeks,months even,I have observed at least six major threat actorsincluding the group known as The Gentleman launching active recruitment (affiliate programs) campaigns across dark web forums and Telegram channels.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The volume matters. Individual recruitment drives are normal. They happen regularly as groups expand, replace arrested members, or prepare for specific campaigns. Six simultaneous recruitment drives from established threat actors is not normal. It represents either a coordinated expansion, a response to a market opportunity that multiple actors have identified independently, or preparation for a campaign cycle that requires a larger workforce than any individual group currently maintains.&lt;/p&gt;

&lt;p&gt;I cannot determine from external monitoring which of these explanations is correct. What I can say from sustained observation is that when multiple established actors recruit simultaneously, the output — the operations those recruits will eventually execute arrives 3–6 months later. The recruitment wave of June 2026 is the workforce build for the attack cycle of late 2026 and early 2027.&lt;/p&gt;

&lt;p&gt;The market is growing because the market expects to need more people. That expectation is, in itself, the most important indicator in this report.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;New recruits are passing vetting tests by using AI to cheat them
Here is the part that should concern defenders most, and it is the observation I find most analytically significant.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Become a Medium member&lt;br&gt;
When a new recruit approaches one of these groups without an established dark web reputation without the years of forum history, the vouching from known actors, the track record that constitutes credibility in the underground the groups typically administer a vetting test. The tests vary by group and by role, but they generally assess technical capability: can this person do what they claim they can do?&lt;/p&gt;

&lt;p&gt;What I am observing now is that the majority of candidates without established reputation are passing these tests by using AI tools to generate the answers. The recruits do not have the technical depth that the tests are designed to verify. They have access to AI tools that can produce technically correct outputs on demand.&lt;/p&gt;

&lt;p&gt;The downstream implications are significant. The next wave of threat actors entering the ecosystem will be, on average, less technically skilled than their predecessors. They will have weaker operational security because they do not fully understand the tools they are using. They will make more mistakes. And they will still be capable of causing serious damage — because the tools they are deploying, even when operated by less skilled hands, are powerful enough to breach, encrypt, exfiltrate, and extort.&lt;/p&gt;

&lt;p&gt;This is the AI-assisted mediocrity problem, and it is more dangerous than it sounds. A highly skilled threat actor with strong OPSEC is dangerous but predictable they follow patterns, they protect their operations, they can be profiled and tracked. A less skilled actor with weak OPSEC and AI-augmented capability is dangerous and unpredictable — they make erratic decisions, they leave trails that lead nowhere useful, and they cause damage through volume and carelessness rather than through precision.&lt;/p&gt;

&lt;p&gt;Defenders are optimised to fight the first type. The second type is what is coming.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The new generation runs on money and fame — nothing else
The previous generation of major threat actors the groups that defined the dark web landscape from roughly 2015 to 2023 operated with a mixture of motivations. Some had ideological commitments. Some had technical pride. Many had community loyalty and a code of behaviour that, while criminal, was internally consistent. They protected their operations because their operations were their identity.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The new wave has none of this.&lt;/p&gt;

&lt;p&gt;From observation, the recruits entering the ecosystem now are motivated almost exclusively by two things: money and fame. They want to get paid. They want to be known. They want the screenshot of the ransom note on their Telegram channel. They want the reputation without the years of work that reputation used to require.&lt;/p&gt;

&lt;p&gt;For defenders, this shift in motivation profile has direct tactical consequences. Actors motivated by community loyalty and operational longevity are cautious they minimise collateral damage because collateral damage draws attention, and attention threatens their operations. Actors motivated by money and fame are not cautious they maximise impact because impact is the product. The ransomware note is not a means to an end. It is the end. The data exfiltration is not leverage for negotiation. It is content for their channel.&lt;/p&gt;

&lt;p&gt;You cannot predict someone who has nothing to protect and nothing to lose. The traditional threat-actor profiling frameworks that work for established groups profiling their operational patterns, their targeting preferences, their negotiation behaviour do not work for actors whose operational pattern is chaos and whose negotiation behaviour is performative.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The numbers tell a story that is not over
A recent report from a Fortune 50 company confirmed what I have been observing from the underground side: cyberattacks increased by 40–50% in 2025 compared to the prior year. Based on what I see in the recruitment patterns, market proliferation, and AI-tool adoption documented in this article, I assess that attacks in 2026 are on track for a 60–80% increase.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;But the curve does not plateau there. The recruitment wave happening now the six simultaneous campaigns, the AI-assisted vetting, the influx of money-motivated actors is the workforce build for 2027. The tools being developed and tested in underground environments right now are the tools that will be deployed at scale in Q1 2027 through mid-2028.&lt;/p&gt;

&lt;p&gt;The attack curve is not flattening. It is steepening. And the steepening has not started yet.&lt;/p&gt;

&lt;p&gt;What this actually means: the prediction nobody wants to hear&lt;br&gt;
Here is the uncomfortable conclusion from all six observations taken together.&lt;/p&gt;

&lt;p&gt;In the next few months not years, months the technical skills that currently define cybersecurity hiring will not be sufficient to prevent the coming wave of attacks. SOC analysts who are excellent at reading logs, writing detection rules, and responding to alerts will continue to be essential. But they will not be enough. The attacks that are being built right now will be designed by people using AI tools to generate capability they do not personally possess, launched by people whose operational patterns do not match any existing profile, and funded by an ecosystem that is growing faster than any monitoring programme can track.&lt;/p&gt;

&lt;p&gt;What companies, CERTs, and government security teams actually need — and what almost none of them currently have is people with real access to underground ecosystems. People who can see what is being built before it is deployed. People who can think like a threat actor because they have spent years watching threat actors think. People who combine technical understanding with the kind of adversarial imagination that lets them stand in the attacker’s shoes and see the target the way the attacker sees it.&lt;/p&gt;

&lt;p&gt;I call them reality dreamers — analysts with enough imagination to predict what has not happened yet, based on what they can see being assembled right now. The security industry is full of people who can tell you what happened yesterday. It has very few people who can tell you what will happen next month. And the gap between those two capabilities is where the next breach will live.&lt;/p&gt;

&lt;p&gt;React later = pay more. See it now = prevent it.&lt;/p&gt;

&lt;p&gt;The choice is structural, and the window for making it is closing.&lt;/p&gt;

&lt;p&gt;Adrian Alexandru is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania. He has published 80+ TLP:CLEAR intelligence reports across four analytical series and maintains nearly two decades of direct dark web HUMINT monitoring capability. His work is freely available at aether-intel.com.&lt;/p&gt;

&lt;p&gt;This article is based on direct observation of underground ecosystems. No specific forums, marketplaces, or Telegram channels are identified by name except where the actor’s identity is already public. No classified intelligence is cited or implied.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>eu</category>
    </item>
    <item>
      <title>(How Influence Operations Work)What the Dark Web Taught Me About Modern Influence Operations</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Wed, 24 Jun 2026 08:04:43 +0000</pubDate>
      <link>https://dev.to/aetherintel/how-influence-operations-workwhat-the-dark-web-taught-me-about-modern-influence-operations-3mp9</link>
      <guid>https://dev.to/aetherintel/how-influence-operations-workwhat-the-dark-web-taught-me-about-modern-influence-operations-3mp9</guid>
      <description>&lt;p&gt;What nearly two decades of observing dark web ecosystems taught me about how influence operations really work. It often starts much deeper in underground communities most people never see.&lt;/p&gt;

&lt;p&gt;A lot of people across Eastern Europe have quietly decided that "disinformation" is a fake problem. A word the powerful use to dismiss anyone who disagrees with them. A control mechanism dressed up as a public-safety concern. If you have ever thought "they just call it disinformation when they don't like what I'm saying," this article is written for you and I am not going to tell you that you are stupid for thinking it.&lt;/p&gt;

&lt;p&gt;I have spent nearly two decades observing underground networks, dark web ecosystems, and the machinery of influence operations from the inside. And here is the uncomfortable thing I have to report from that vantage point: the suspicion is half right. There is a lie being told. It is just not the one you think.&lt;/p&gt;

&lt;p&gt;Your frustration is real. Start there.&lt;/p&gt;

&lt;p&gt;Before anything else, let me say the part that most articles on this subject skip, because skipping it is exactly why those articles fail.&lt;/p&gt;

&lt;p&gt;If you are frustrated with the way life works right now, the prices, the wages that do not stretch, the sense that the deck is stacked, the feeling that the people who decide things do not live in the same reality you do you are not wrong, and you are not imagining it. The economic squeeze is real. The gap between what a month of work buys now and what it bought before is real. Your anger is a rational response to a real situation. Nobody gets to tell you that feeling is invented.&lt;/p&gt;

&lt;p&gt;That is the foundation of everything that follows, so I want it to be unmistakable: this is not an article telling you to trust authority, calm down, and accept what you are told. The opposite, actually. It is an article about who is using your entirely legitimate frustration and how.&lt;/p&gt;

&lt;p&gt;The trap is built out of something true&lt;/p&gt;

&lt;p&gt;Here is a pattern I have watched many times. It is most effective on people who are 40 and older, and the reason is not that they are gullible. It is that they have lived through more than one system, and memory does a quiet, dishonest thing to all of us.&lt;/p&gt;

&lt;p&gt;When we look back at the past, we remember the good parts in high definition and we let the bad parts blur. The security we felt. The sense that things were simpler. The community. What fades is the queuing, the shortages, the fear, the things we could not say. So we end up making a comparison that is rigged before it starts: the best of what was, measured against the worst of what is. The good of then versus the bad of now. No present could ever win that contest, because it is not a fair fight it is nostalgia grading its own exam.&lt;/p&gt;

&lt;p&gt;This is not a character flaw. It is how human memory works, in every country, in every generation. But it creates a vulnerability. And vulnerabilities, in the world I come from, are not left lying around unused.&lt;/p&gt;

&lt;p&gt;What the operations actually do&lt;/p&gt;

&lt;p&gt;Here is the part people get wrong about influence operations, and it is the heart of this whole piece.&lt;/p&gt;

&lt;p&gt;Foreign influence operations and yes, are state-sponsored and well-documented in public reporting by EU, NATO, and national intelligence services( the most documented ≠ all of them , because the ops are worldwide ) though they are far from the only ones do not invent your frustration. They do not need to. Inventing anger is expensive and unconvincing. Amplifying anger that already exists is cheap and almost undetectable, because the raw material is genuine. You are not being fed a fake emotion. You are being fed a real emotion, carefully aimed.&lt;/p&gt;

&lt;p&gt;The operation's job is not to make you feel something false. It is to take what you already feel the legitimate economic frustration, the legitimate distrust, the genuine nostalgia and gently steer it: toward a specific conclusion, a specific enemy, a specific candidate, a specific paralysis. The content that does this does not arrive with a flag on it. It arrives looking like an ordinary person who feels exactly what you feel, who happens to have an explanation ready, and whose explanation always points the same direction.&lt;/p&gt;

&lt;p&gt;That is why it works on smart, skeptical people. The skepticism is real. The frustration is real. Only the steering is artificial and the steering is the only part you cannot see.&lt;/p&gt;

&lt;p&gt;Where it actually begins: the part nobody shows you&lt;/p&gt;

&lt;p&gt;Most people picture disinformation as something that lives on the surface a post on Facebook, a video on Telegram, a comment under an article. That is where you see it. It is not where it starts.&lt;/p&gt;

&lt;p&gt;In the ecosystems I monitor, the visible post is the last step in a long supply chain, and most of that chain runs underground. This is the connection that surprises people: the dark web and closed underground communities are not just for ransomware and stolen credit cards. They are also the infrastructure layer of influence operations. Specifically:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;Recruitment happens there first. Before an "authentic local voice" ever posts, the people who will run, seed, and amplify a campaign are often recruited inside underground forums and closed channels sometimes knowingly as paid operators, sometimes as ideologically aligned volunteers who never realize whose strategy they are serving.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;The capabilities are bought there. Aged social media accounts that look like real people with years of history. Networks of bots. Deepfake and synthetic-media services. Fake-engagement vendors. None of this is built in public. It is procured quietly, in the same markets that sell everything else.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;The money moves there. Operators get paid in cryptocurrency, routed through mixers designed to break the link between who pays and who posts the same financial plumbing used by the rest of the underground economy.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;It regroups there. When a public platform takes a network down, the community does not die. It reconverges because the relationships, not the platform, were the real infrastructure. The takedown moves the furniture. The operation continues.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;So the thing you see on the surface the angry post that happens to match your mood — sits on top of a recruitment, procurement, payment, and coordination stack that mostly lives where you will never look. That is not a theory I read somewhere. It is the structure I have spent years watching assemble itself, piece by piece.&lt;/p&gt;

&lt;p&gt;So who is lying to you?&lt;/p&gt;

&lt;p&gt;Let us go back to where we started the suspicion that "disinformation" is just a control word.&lt;/p&gt;

&lt;p&gt;The lie is real. But the liar is not necessarily the one standing in front of you wearing an official badge. The more sophisticated lie is the one wearing your own face the account that feels like you, frustrated like you, nostalgic like you, and that quietly hands you a conclusion you think you reached on your own. The control you should worry about is not always the obvious, clumsy kind from above. Sometimes it is the invisible kind, coming from a server farm in another country, routed through someone who looks exactly like your neighbor.&lt;/p&gt;

&lt;p&gt;That is the genuinely unsettling part. The operation does not want your obedience. It wants your agreement agreement that feels like your own idea, because it was built out of feelings that genuinely were.&lt;/p&gt;

&lt;p&gt;What to actually do and it is not "trust the state"&lt;/p&gt;

&lt;p&gt;I am not going to end this by telling you to believe official sources, calm down, and stop questioning things. That would be insulting, and it would also be exactly the move the operations are betting I will make, because it confirms everything the skeptic already suspects.&lt;/p&gt;

&lt;p&gt;Here is the better defense, and it costs nothing:&lt;/p&gt;

&lt;p&gt;Defend your own mind, from everyone. Not from the state. Not from foreign operations. From anyone who wants to do your thinking for you.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;When a piece of information makes you feel a strong emotion fast anger, vindication, fear treat that speed as a warning light, not a green light. Strong instant emotion is the signature of content engineered to bypass thought. Slow down precisely when you feel pushed to speed up.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Check more than one source and sources that disagree with each other. Not one outlet, not one channel, not one "person who finally tells the truth." If a claim only exists in places that already share its conclusion, that is not corroboration. That is an echo.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Ask the question the operation hopes you will not ask: who benefits if I believe this and act on it? Follow it past the obvious answer.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Notice when an explanation is too clean. Real life is messy and contradictory. Narratives that explain everything, blame one enemy for all of it, and leave you with a single clear action — those are manufactured more often than they are true.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;None of this means trusting authority. It means refusing to outsource your judgment to anyone your government, a foreign actor, a charismatic account, or me. Your frustration is yours. It is legitimate. The whole game is about who gets to aim it. The answer should be: nobody but you.&lt;/p&gt;

&lt;p&gt;That is the real lie worth being angry about not that someone called something disinformation, but that someone took a feeling that genuinely belonged to you and quietly pointed it where they wanted. You have every right to be frustrated. You also have every right to make sure the frustration stays yours.&lt;/p&gt;

&lt;p&gt;Full Reports on this subject you can find at Aether-Intel&lt;/p&gt;

&lt;p&gt;Adrian Alexandru is an independent cyber threat intelligence analyst specializing in passive digital HUMINT, behavioral analysis, and dark web ecosystems, based in Brașov, Romania. He publishes open intelligence research at [aether-intel.com]&lt;/p&gt;

&lt;p&gt;This article is analytical commentary; it names no individuals and characterizes no specific community&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
    </item>
    <item>
      <title>The Dark Web Is Already Building Sovereign AI's Next Battlefield. Europe Is Still Debating It. ( We need to move faster )</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Sun, 21 Jun 2026 14:26:51 +0000</pubDate>
      <link>https://dev.to/aetherintel/the-dark-web-is-already-building-sovereign-ais-next-battlefield-europe-is-still-debating-it-we-15o7</link>
      <guid>https://dev.to/aetherintel/the-dark-web-is-already-building-sovereign-ais-next-battlefield-europe-is-still-debating-it-we-15o7</guid>
      <description>&lt;p&gt;While Europe Regulates, the Dark Web groups Are Already Recruiting the Next Generation of AI Weapons Specialists&lt;/p&gt;

&lt;p&gt;The sovereign AI race is not a competition Europe can prepare for. It is a competition Europe is already inside.&lt;/p&gt;

&lt;p&gt;I have spent nearly two decades monitoring dark web ecosystems forums, Telegram channels, encrypted messaging groups tracking how adversarial networks recruit, organise, and operate. Over the past eighteen months, I have watched something shift that I believe European policymakers need to hear about, even if it makes them uncomfortable.&lt;/p&gt;

&lt;p&gt;The underground is recruiting AI specialists.&lt;/p&gt;

&lt;p&gt;Not in the abstract. Not as a future risk. Right now, across Russian/Chinese-language and English-language underground forums and Telegram channels, groups aligned with multiple state interests are actively recruiting three categories of talent: deepfake production specialists who can generate synthetic video and clone voices, AI-assisted fraud specialists who can weaponise large language models for social engineering, and AI infrastructure operators who can deploy and fine-tune models outside regulated cloud environments on grey-market servers, stripped of safety guardrails.&lt;/p&gt;

&lt;p&gt;The recruitment follows patterns I have documented extensively across 80+ published intelligence reports. Trusted community members make the approach. The framing is peer opportunity, not recruitment. The people being recruited often do not know who is ultimately directing or funding the work. The pipeline is operational. The specialists are being onboarded. The tools they will build are months from deployment.&lt;/p&gt;

&lt;p&gt;This is what the sovereign AI race actually looks like from the inside.&lt;/p&gt;

&lt;p&gt;Europe Is Not Losing. Europe Is Late.( They can Win )&lt;/p&gt;

&lt;p&gt;The distinction matters. Losing implies the game is over. Late implies there is still time but not much. Over the past twelve months, European signals on sovereign AI have been encouraging. France has Mistral. Germany is building sovereign cloud and the LEAM initiative. Multiples companies are building sovereign platform designed for NATO-aligned government use. At least two major European intelligence services have begun departing from US-owned AI platforms a signal that sovereignty has moved from policy preference to operational requirement.&lt;/p&gt;

&lt;p&gt;But encouraging signals are not deployed capability. And deployed capability is what the moment demands.&lt;/p&gt;

&lt;p&gt;The Three Races Europe Is Running Simultaneously&lt;/p&gt;

&lt;p&gt;The conventional framing puts Europe third behind the US and China in AI. That framing is correct for one race and wrong for two others.&lt;/p&gt;

&lt;p&gt;Frontier model development. Europe is third and falling. Mistral is competitive at the mid-tier, but no European lab is in the frontier race with OpenAI, Anthropic, Google,Z.ai, or DeepSeek. The good news: Europe does not need to win this race. It needs to ensure it can deploy sovereign instances of competitive models open-source or licensed on European-controlled infrastructure.&lt;/p&gt;

&lt;p&gt;Defence and intelligence AI deployment. This is the race that matters most, and it is the race where Europe is furthest behind. Most European defence and intelligence agencies are years behind the US in integrating AI into analytical workflows, threat detection, and decision support. NATO has strategic documents but no deployed AI capability at scale. The gap is not about model quality. It is about deployment speed.&lt;/p&gt;

&lt;p&gt;AI-enabled hybrid warfare. This is the race Europe is actively losing on the defensive side. From what I observe directly, adversary-aligned groups are deploying AI for disinformation, deepfakes, and automated social engineering faster than Europe is deploying AI to detect and counter these tools. The dark web recruitment pipeline I described at the opening of this article is the production capacity for this capability.&lt;/p&gt;

&lt;p&gt;Russia's Weakness Is the Window&lt;/p&gt;

&lt;p&gt;Russia's position in the AI competition is simultaneously behind in development, crippled by sanctions on compute access, and increasingly dependent on Chinese AI technology. The combination creates a window for Europe that is strategically significant and temporally limited.&lt;/p&gt;

&lt;p&gt;Russia cannot currently train frontier AI models domestically. GPU access is severely constrained. The best Russian AI talent is leaving. On the development dimension, Europe is ahead.&lt;/p&gt;

&lt;p&gt;But Russia is not behind on the weaponisation dimension. Russia has consistently demonstrated the ability to deploy imperfect tools effectively in disinformation, in election interference, in hybrid warfare. The dark web specialist recruitment I observe is accelerating precisely this capability. Russia does not need the best AI. It needs AI that is good enough to generate convincing deepfakes, automate social engineering at scale, and produce synthetic content faster than fact-checkers can respond.&lt;/p&gt;

&lt;p&gt;The window exists because Russia's development weakness is temporary. Chinese technology transfer is already partially mitigating the compute shortage. Within three to five years, the gap could close. China's patience in cultivating AI partnerships with European states particularly in Central and Eastern Europe and the Balkans, where the EU is not offering alternatives is structural and long-term.&lt;/p&gt;

&lt;p&gt;The time to act is now. Not next year. Not after the next funding cycle. Now.&lt;/p&gt;

&lt;p&gt;The AI Act Paradox&lt;/p&gt;

&lt;p&gt;The EU AI Act is the most significant AI regulatory framework in the world. It is also, in its current implementation, a potential brake on the deployment speed that Europe's security situation demands.&lt;/p&gt;

&lt;p&gt;The paradox is real: the Act's compliance requirements slow innovation and raise costs for European AI developers, but its sovereignty-forcing effects push European institutions toward domestic AI solutions they would not have chosen under pure market incentives. The Act helps and hinders simultaneously.&lt;/p&gt;

&lt;p&gt;What I expect to see and this is a prediction I am willing to commit to publicly is a two-speed Europe. Western European states will implement AI Act requirements conservatively, slowing defence AI deployment. Central and Eastern European states, facing more immediate security threats on the Eastern Flank, will interpret the same requirements pragmatically and deploy faster or slower ( depends on the activity on the Ukrainean front + each country politics ) &lt;/p&gt;

&lt;p&gt;This two-speed dynamic is not necessarily a problem. It could be a strategic asset if the EU designs a framework that channels CEE deployment speed into coordinated capability rather than treating it as non-compliance.&lt;/p&gt;

&lt;p&gt;Deploy Now. Perfect Later.&lt;/p&gt;

&lt;p&gt;The central argument of this analysis is uncomfortable for the European policy temperament: deploy imperfect AI tools into defence and intelligence now, rather than waiting for perfect European-built models that will arrive too late.&lt;/p&gt;

&lt;p&gt;The adversary is not waiting for perfect tools. From what I observe directly in underground ecosystems, AI-enabled hybrid warfare tools are being developed and tested today. They are imperfect. They are deployed anyway. Their imperfection does not prevent them from being operationally effective.&lt;/p&gt;

&lt;p&gt;Europe's standard defence procurement cycle takes three to five years. The dark web recruitment-to-deployment cycle for an AI specialist takes three to five months. The asymmetry is structural. It cannot be closed through faster procurement alone. Europe must deploy what is available now on sovereign infrastructure, under European control while developing what will be needed next.&lt;/p&gt;

&lt;p&gt;The Polish S-AI model represents the right philosophy: sovereign, state-exclusive, designed for rapid integration, iterated on capability rather than waiting for perfection. Whether that specific model succeeds or fails, the design principle is correct.&lt;/p&gt;

&lt;p&gt;Four Things I Expect to See by Mid-2027&lt;/p&gt;

&lt;p&gt;Based on what I observe directly and on the structural dynamics described in this analysis:&lt;/p&gt;

&lt;p&gt;One. AI Act enforcement will produce a visible two-speed Europe compliant West, pragmatic CEE.&lt;/p&gt;

&lt;p&gt;Two. China will offer AI technology partnerships to at least two CEE or Balkan states, filling gaps the EU is leaving open.&lt;/p&gt;

&lt;p&gt;Three. The first documented case of AI-generated deepfake content used by a state-aligned actor to influence a European election campaign. The dark web pipeline I described is the production capacity. The capability is months away, not years.&lt;/p&gt;

&lt;p&gt;Four. NATO will establish a formal AI integration doctrine by mid-2027 imperfect, late, but necessary as the institutional framework for what should already be happening.&lt;/p&gt;

&lt;p&gt;The Window&lt;/p&gt;

&lt;p&gt;The sovereign AI window is measured in months, not years. Russia's weakness is temporary. China's patience is not. While European policymakers debate regulatory timelines and funding mechanisms, the underground is already building the workforce for the next generation of AI-enabled hybrid warfare.&lt;/p&gt;

&lt;p&gt;The connection between sovereign AI policy and dark web recruitment is deeper than most people in Brussels want to admit. The policy debate and the operational reality are not happening on the same timeline. The policy debate operates in fiscal years. The operational reality operates in Telegram channels.&lt;/p&gt;

&lt;p&gt;Europe does not need to beat the United States or China in AI. It needs to ensure it is never dependent on either and that it stays decisively ahead of Russia. That is achievable. Everything else is aspiration.&lt;/p&gt;

&lt;p&gt;But it requires acting now. Not after the next white paper. Now.&lt;/p&gt;

&lt;p&gt;The full analytical report at Horizon Briefings on aether intel — SAI-2026-001: Europe's Sovereign AI Window — is available as a free TLP:CLEAR download at [aether-intel.com]. It includes detailed national landscape assessments, dark web recruitment indicators, MITRE-mapped threat analysis, and specific policy recommendations.&lt;/p&gt;

&lt;p&gt;This article draws on nearly two decades of direct dark web HUMINT monitoring and on 80+ published intelligence reports across the AS-CTI-2026, OBSIDIAN-TRACE, GREY NEXUS, and Sovereign AI series + Europe Through 2028 series. No individuals are identified. No classified intelligence is cited.&lt;/p&gt;

&lt;p&gt;Adrian Alexandru Stîngă is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania.&lt;/p&gt;

&lt;h1&gt;
  
  
  SovereignAI #EuropeanSecurity #CyberSecurity #ArtificialIntelligence #ThreatIntelligence #HybridWarfare #NATOSecurity #EUAIAct #DarkWeb #HUMINT #DeepFake #Disinformation #EasternFlank #CyberThreats #InfoOps #OSINT
&lt;/h1&gt;

</description>
      <category>cybersecurity</category>
      <category>ai</category>
      <category>europe</category>
    </item>
    <item>
      <title>Intelligence Brief: The Disinformation Machine</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Wed, 17 Jun 2026 06:33:59 +0000</pubDate>
      <link>https://dev.to/aetherintel/intelligence-brief-the-disinformation-machine-3bh</link>
      <guid>https://dev.to/aetherintel/intelligence-brief-the-disinformation-machine-3bh</guid>
      <description>&lt;p&gt;The Disinformation Supply Chain: How Coordinated Influence Campaigns Are Built Before They Go Viral &lt;/p&gt;

&lt;p&gt;Article from Digital HUMINT Series, For better understanding read the full report&lt;/p&gt;

&lt;p&gt;Right now, somewhere on X/forum people are fighting about a post that feels real raw, emotional, perfectly worded to hit a nerve. It has the right language, the right anger, the right timing. It sounds like someone who thinks exactly the way you do, or exactly the way you hate.&lt;/p&gt;

&lt;p&gt;It wasn't written there. It wasn't written today. And the person who wrote it doesn't care about the issue at all.&lt;/p&gt;

&lt;p&gt;That post was created two or three days earlier, on a hidden forum or a private chat group, following a set of instructions that described who to target, what emotions to trigger, which platform to use, and how much the job pays. By the time you see it, the operation has already worked. You engaging with it for or against is the whole point.&lt;/p&gt;

&lt;p&gt;I've spent almost two decades watching these hidden spaces where online manipulation is planned. What I've learned isn't that fake content exists everyone knows that by now. What most people don't realize is that it works like a factory. There's a production line. There are workers, managers, and paychecks. And just like any factory, if you know where to look, you can see the product being assembled before it ever reaches the shelf.&lt;/p&gt;

&lt;p&gt;It Works Like Any Other Business&lt;br&gt;
We talk about "disinformation campaigns" as if they're political movements. Some are. But more and more, what you're actually looking at is a business with four steps, each handled by different people, often in different countries.&lt;/p&gt;

&lt;p&gt;Step 1 — Someone writes the plan. A person with a goal and a budget writes a document that says: push this story, target these kinds of people, make them feel this emotion, use this language, post it on these platforms. These plans used to appear on hidden internet forums. Many have moved to private Telegram groups, but the structure hasn't changed since I first saw it in 2014.&lt;/p&gt;

&lt;p&gt;Step 2 — Someone hires the workers. Job ads appear on hidden forums looking for people with real-looking social media accounts, willing to post about specific topics, in specific countries, for cryptocurrency payment. These ads are surprisingly open about what the job involves. They list the platform, the country, the topic, how many posts per day, and the pay anywhere from $20 to $200 per post.&lt;/p&gt;

&lt;p&gt;Step 3 — The content goes live. Multiple accounts post similar content within a short window, dropping it into the right online communities. This is the moment it becomes visible to the public.&lt;/p&gt;

&lt;p&gt;Step 4 — It spreads. Paid accounts boost the content. Automated accounts pile on. And then real people people who genuinely agree with the message start sharing it because it feels true. At that point, the operation runs on its own. The people sharing it have no idea it was manufactured.&lt;/p&gt;

&lt;p&gt;The person who wrote the plan, the person who wrote the post, the person who published the post, and the person who shared it are four different people. Often living in four different countries.&lt;/p&gt;

&lt;p&gt;The 48 Hours Nobody Is Watching&lt;br&gt;
Here's the part that should bother everyone: the best chance to stop one of these operations is not after the content appears on your feed. It's in the two or three days before it appears while the plan is being written, the workers are being hired, and the content is being prepared.&lt;/p&gt;

&lt;p&gt;During that window, the whole operation is visible to anyone watching the right places. The plan exists. The job ads are posted. People are being recruited and paid. The network that will spread the content has been told what's coming. Everything is ready, but nothing has been published yet.&lt;/p&gt;

&lt;p&gt;Once that window closes, it's too late for prevention. You're just trying to clean up the mess while more content keeps coming. And that's exactly what most organizations tasked with fighting this problem are doing they're watching social media for fake content after it's already out there. They're looking at the finished product, not the factory.&lt;/p&gt;

&lt;p&gt;The job ads alone tell you almost everything you need to know. An ad looking for English-speaking accounts, focused on election-related content, targeting a specific country, paying in cryptocurrency, posted a few weeks before an election that's not hard to interpret. It's a clear warning sign with specific details about what's coming. The challenge isn't understanding what it means. The challenge is that almost nobody is looking at the forum where it was posted.&lt;/p&gt;

&lt;p&gt;What I Saw Change Over 12 Years — and What Stayed the Same&lt;br&gt;
I first saw this system in action during the 2014–2015 period, monitoring hidden forums connected to the conflict in Eastern Ukraine. The instructions were crude open messages telling people what to post, where, and to whom. The people posting these instructions didn't think anyone outside their circle was reading them.&lt;/p&gt;

&lt;p&gt;What surprised me then, and still surprises me now, is that the basic system hasn't changed in twelve years. The steps are the same. The timing is the same. The logic is the same.&lt;/p&gt;

&lt;p&gt;What has changed is the tools. AI now writes content that used to take human writers hours. Cryptocurrency replaced bank transfers, making payments harder to trace. Telegram replaced some of the old forums for planning. TikTok got added to the list of target platforms. The factory is the same it just has better equipment.&lt;/p&gt;

&lt;p&gt;The one change that actually makes a difference is that the planning stage has partly moved from open forums to private chat groups. Forums, even hidden ones, can be monitored by anyone who gains access. Private groups are much harder to watch. But the hiring stage — the job ads looking for people to post — still happens on forums, because you need to reach a wide pool of workers. That part of the process is still visible if you know where to look.&lt;/p&gt;

&lt;p&gt;What This Means for You&lt;br&gt;
If you're just someone who uses social media which is most of us the takeaway is simple. The content that triggers your strongest reaction, that perfectly matches your frustration or your fear, that sounds like someone finally saying what everyone is thinking that content may have been designed to feel exactly that way. Not by an algorithm. By a person with a plan and a budget, who identified people like you as the target and your specific worry as the way in.&lt;/p&gt;

&lt;p&gt;It doesn't mean every post that makes you angry is fake. It means the posts that feel the most perfectly crafted to push your buttons deserve a second look. A pause. A moment of asking: who benefits if I share this right now?&lt;/p&gt;

&lt;p&gt;The factory is real. The production line is running. And by the time you're arguing about the product on your timeline, the person who ordered it has already moved on to the next batch.&lt;/p&gt;

&lt;p&gt;This short article is part of my Digital HUMINT Series.&lt;/p&gt;

&lt;p&gt;This article is based on findings from report OT-045, "The Disinformation Supply Chain," published by Aether Intel (aether-intel.com). The full report includes the complete production-line framework, technical mapping, detection methods, and twelve years of evolution analysis. Available for free at aether-intel.com.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>behavior</category>
      <category>europe</category>
    </item>
    <item>
      <title>By the Time You See the Attack, You're Already Late</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Mon, 15 Jun 2026 05:59:51 +0000</pubDate>
      <link>https://dev.to/aetherintel/by-the-time-you-see-the-attack-youre-already-late-413d</link>
      <guid>https://dev.to/aetherintel/by-the-time-you-see-the-attack-youre-already-late-413d</guid>
      <description>&lt;p&gt;This Article is part of Europe Through 2028 Part Two &lt;/p&gt;

&lt;p&gt;Europe eastern frontier isn’t facing a wave of infrastructure attacks. It’s facing something harder to see and harder to stop: access being built and held in reserve, ahead of 2028.&lt;br&gt;
There’s a particular kind of threat that doesn’t show up in incident reports, because nothing has happened yet. No outage. No ransom note. No breach disclosure. Just a foothold quiet, persistent, established inside a system that matters sitting there, doing nothing, waiting.&lt;/p&gt;

&lt;p&gt;That waiting is the point. And right now, across Europe’s eastern frontier, it’s the trend worth watching.&lt;/p&gt;

&lt;p&gt;In an earlier assessment, I described what I called the build influence infrastructure being assembled well ahead of Europe’s 2028 election supercycle. Aged accounts. Cultivated operators. The slow, patient construction of a perception-shaping capability that wouldn’t be switched on until the moment it mattered. The unsettling part wasn’t any single piece of content. It was the timing: someone was getting ready.&lt;/p&gt;

&lt;p&gt;This is the second half of that story. And the build has grown a harder edge.&lt;/p&gt;

&lt;p&gt;From narratives to the systems underneath&lt;br&gt;
Over recent months, the same ecosystems I’d been watching curate accounts and recruit operators started orienting toward something else entirely. Not narratives. Systems the physical and digital infrastructure a state depends on to function.&lt;/p&gt;

&lt;p&gt;The shift is one of emphasis, not a clean break. The actors are the same. The forums are the same. But the conversation has moved from what people believe to what keeps the lights on. Among groups whose behaviour and targeting line up consistently with a single state’s strategic interests, there’s been a sustained rise in stated intent and observable interest against national-security-relevant infrastructure.&lt;/p&gt;

&lt;p&gt;Here’s the logic shift that matters. Influence operations shape perception. Infrastructure targeting shapes leverage the ability to threaten, disrupt, or signal at a moment of your own choosing. Pursued together, they’re not two separate campaigns. They’re two halves of one pressure capability, aimed at the same horizon.&lt;/p&gt;

&lt;p&gt;And critically: what’s rising is posture, not yet impact. The interest is up. The recruitment is up. The orientation is up. A wave of destructive events is not. That distinction is the whole game, because it means defenders still hold the initiative for now.&lt;/p&gt;

&lt;p&gt;Access is the asset, not the action&lt;br&gt;
This is the idea I most want to land, because it reframes how you should read everything else.&lt;/p&gt;

&lt;p&gt;Access to a critical system quietly established, never used is not a failed attack. It’s a capability. It’s a loaded option held in reserve, and it carries strategic weight whether or not anyone ever pulls the trigger. The infrastructure analogue of the aged social media account: valuable precisely because it’s patient.&lt;/p&gt;

&lt;p&gt;That changes the defensive question. You stop asking “has anything been disrupted?” and start asking “is anyone already inside, just waiting?” The decisive activity isn’t the disruption. It’s the establishment of access during the quiet build phase which is exactly the window where you can still deny it.&lt;/p&gt;

&lt;p&gt;Two targets keep surfacing: sovereign AI and power&lt;br&gt;
When you watch this kind of discourse long enough, you stop chasing individual mentions and start noticing gravity the targets the conversation keeps bending toward. Two keep recurring.&lt;/p&gt;

&lt;p&gt;Sovereign AI — national and regional efforts to build independent AI capability is attractive precisely because it’s strategic and new. It concentrates sensitive data, computational dependency, and national prestige into systems that are being stood up fast and haven’t yet earned decades of operational scar tissue. They’re emergent, which means they’re soft. For an adversary, interest in a state’s sovereign AI is interest in that state’s future autonomy. Compromise it early, and you constrain a rival’s independence before it’s fully built a long-horizon move that fits a 2028 mindset exactly.&lt;/p&gt;

&lt;p&gt;Power systems are the older, more familiar prize. Their appeal is the cascade. Electricity sits upstream of nearly everything communications, water, finance, healthcare, the state’s own ability to respond to a crisis. You don’t need to cause an outage to extract value. The credible ability to hold power infrastructure at risk is, by itself, a standing instrument of pressure.&lt;/p&gt;

&lt;p&gt;Neither is chosen for being easy. Both are chosen for leverage for what their disruption would signal and cascade. That’s the tell that this is coercion logic, not profit logic.&lt;/p&gt;

&lt;p&gt;One sponsor, many deniable hands&lt;br&gt;
The groups driving this are best understood as aligned with a single state sponsor not as its employees.&lt;/p&gt;

&lt;p&gt;The relationship is rarely a chain of command. It’s closer to alignment and tolerance: nominally criminal crews whose targeting happens, again and again, to serve a state’s strategic interests, operating in an environment where that activity is permitted, encouraged, or quietly nudged while any formal connection stays deliberately blurry.&lt;/p&gt;

&lt;p&gt;That blur is a feature, not a bug. Route strategic targeting through ostensibly independent criminals and the sponsor buys plausible deniability, while defenders inherit an attribution problem. An intrusion that looks financially motivated may be strategically directed. Crime, in other words, can be statecraft wearing a criminal coat.&lt;/p&gt;

&lt;p&gt;The practical takeaway for defenders is uncomfortable but clarifying: treat alignment as a working hypothesis, not a settled fact. Assume some share of what presents as opportunistic crime is strategically oriented and prioritize the targets a state would value over the ones a purely financial actor would pick.&lt;/p&gt;

&lt;p&gt;Become a Medium member&lt;br&gt;
(A note I keep on every assessment of this kind: “state-aligned” is an analytic read on behaviour and targeting, not a legal attribution. I name no state here, and that discipline matters more than ever when the whole adversary model depends on ambiguity.)&lt;/p&gt;

&lt;p&gt;The recruitment surge is the tell&lt;br&gt;
Ambition needs operators. And the clearest signal that the infrastructure orientation is meant to last not flare up once and fade is who’s hiring.&lt;/p&gt;

&lt;p&gt;Across Telegram and dark web forums, nearly all the ransomware-as-a-service operations in the aligned cluster are visibly scaling their recruitment. Where the influence layer ran on selective, reputation-based recruiting, the infrastructure layer looks broader and more urgent. The pattern reads like staffing for volume and continuity building bench depth for sustained operations against hard targets, not hand-picking a couple of trusted hands for a one-off.&lt;/p&gt;

&lt;p&gt;And here’s what makes it intelligence rather than noise: the rise is cluster-wide. Individual crews expand and contract constantly that’s normal underground churn. But an entire aligned ecosystem increasing its intake in the same window, oriented at the same target categories, points to a shared driver behind all of them. That simultaneity is the signature of directed pre-positioning.&lt;/p&gt;

&lt;p&gt;The honest caveat: most of this is inferred from surface activity. The real tempo is almost certainly higher than what shows openly. Recruitment that runs through private, trust-mediated channels stays, by design, below the line.&lt;/p&gt;

&lt;p&gt;Why this is a sovereignty problem, not just a security one&lt;br&gt;
The reason this deserves attention isn’t the prospect of one dramatic, made-for-headlines event. It’s the compounding effect of access being quietly established across exactly the systems a state can’t afford to lose control of.&lt;/p&gt;

&lt;p&gt;Cascade. Power sits upstream of everything. Access converts a narrow technical foothold into broad societal leverage.&lt;br&gt;
Signal. Even held in reserve, demonstrated capability against strategic systems is a message. It shapes the calculations of decision-makers under pressure — coercion that works without ever being used.&lt;br&gt;
Sovereignty. Shaping or compromising emergent national capability sovereign AI above all is a way to constrain a rival’s future autonomy before it’s fully established.&lt;br&gt;
Together, those move the infrastructure front out of the security bucket and into the strategic one. This is leverage over how a society functions and what it can become which is why the response has to be owned at the level of national resilience, not left to individual operators to figure out alone.&lt;/p&gt;

&lt;p&gt;Two fronts, one horizon&lt;br&gt;
Read the narrative build and the infrastructure build together and you get the real picture: a combined coercion capability maturing toward the same fixed date.&lt;/p&gt;

&lt;p&gt;Perception-shaping makes a population more susceptible at the precise moment infrastructure pressure is applied. Infrastructure pressure lends weight to narratives that would otherwise be dismissed. A campaign that can do both at once, at a chosen moment, is worth more than the sum of its parts and the build phase is the only phase where it stays stoppable.&lt;/p&gt;

&lt;p&gt;What an accelerating front looks like&lt;br&gt;
No single indicator proves anything. Their value is cumulative convergence across several, over time, is what separates directed pre-positioning from ordinary underground activity. The things I’m watching for, in combination:&lt;/p&gt;

&lt;p&gt;A simultaneous, cluster-wide rise in recruitment across aligned groups.&lt;br&gt;
Target-category drift in discourse sovereign AI, power, and grid displacing purely financial chatter.&lt;br&gt;
An access-not-action posture: footholds established and held rather than immediately cashed out.&lt;br&gt;
Proxy proliferation new “criminal” groups whose targeting keeps lining up with one state’s interests.&lt;br&gt;
Cross-border simultaneity comparable infrastructure targeted across several frontline states at once.&lt;br&gt;
Front convergence the same ecosystems active across both the narrative and infrastructure layers.&lt;br&gt;
The window is the build&lt;br&gt;
If there’s one thing to take from all of this, it’s that the decisive activity is the establishment of access not its use. Which means the highest-leverage defensive moves are anticipatory:&lt;/p&gt;

&lt;p&gt;Hunt for quiet, persistent footholds on the assumption that someone is already establishing and holding them. Apply national-resilience-grade protection to sovereign AI and power as the strategic assets they are. Defend against the state-relevant hypothesis where “criminal” targeting aligns with a state’s interests. Track recruitment as a leading indicator. Coordinate across borders now, while there’s still time to make detection mature. And analyse the two fronts together, because separately neither one tells you the truth.&lt;/p&gt;

&lt;p&gt;Quiet, persistent access to a strategic system is not a failed attack. It’s a capability waiting for the moment it’s needed and it’s being built now, in the one phase where it can still be denied.&lt;/p&gt;

&lt;p&gt;The defender’s advantage hasn’t changed since Part One. It’s time, spent now, on denying access before it becomes leverage.&lt;/p&gt;

&lt;p&gt;This is a strategic forecast describing patterns, intent, and trajectories observed across monitored dark web and Telegram ecosystems, interpreted through more than a decade of HUMINT and open-source experience in Eastern European, Russian-language, and hybrid-warfare environments. It names no state, actor, group, infrastructure, or jurisdiction, and contains no operational or technical detail. “State-aligned” reflects an analytic assessment of behavioural and targeting alignment not legal attribution. Published TLP:CLEAR for the broadest defensive benefit.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Almost all the ops start recruiting from underground/dark web/telegram&lt;/strong&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>eu</category>
    </item>
    <item>
      <title>Someone Decided What Millions Would Think Next Week</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Wed, 10 Jun 2026 07:40:55 +0000</pubDate>
      <link>https://dev.to/aetherintel/someone-decided-what-millions-would-think-next-week-1ci3</link>
      <guid>https://dev.to/aetherintel/someone-decided-what-millions-would-think-next-week-1ci3</guid>
      <description>&lt;p&gt;HUMINT — Behavior Analysis Series · Based on GREY NEXUS report GN-064, "Narrative Architects"&lt;/p&gt;

&lt;p&gt;By the time a piece of disinformation reaches your feed, the most important decisions about it have already been made, somewhere you'll never see, in a document you're not meant to know exists.&lt;/p&gt;

&lt;p&gt;The post feels spontaneous. The outrage feels organic. The timing feels like coincidence.&lt;/p&gt;

&lt;p&gt;None of it is.&lt;/p&gt;

&lt;p&gt;In this Q&amp;amp;A, Adrian Alexandru Stinga threat intelligence analyst specializing in HUMINT, behavioral analysis, and dark web ecosystems unpacks the findings from his latest GREY NEXUS report, GN-064: Narrative Architects. Drawing on nearly two decades monitoring coordination communities, forums, and encrypted channels, the report documents something most counter-disinformation work never looks for: the operational briefing the document that is written, calibrated, and distributed before a single post ever appears.&lt;/p&gt;

&lt;p&gt;Q: Your report opens with a strange line "A briefing is not written to describe what will happen. It is written to make what will happen look like it was never planned." That sounds backwards. Explain it.&lt;/p&gt;

&lt;p&gt;It only sounds backwards if you think the goal of an information operation is to spread a message. It isn't. The goal is to spread a message that looks like it spread on its own. The entire value of a coordinated narrative collapses the moment it looks coordinated. So the briefing is written with two objectives at once: make the operation effective, and make the operation invisible. Those two objectives are in tension, and managing that tension is the whole craft. A good briefing produces alignment among hundreds of people while leaving no individual piece of content that could ever prove they were aligned.&lt;/p&gt;

&lt;p&gt;Q: Let's go to the basics. When most people imagine a disinformation campaign, they picture bots, fake accounts, troll farms. You're saying the real action happens earlier.&lt;/p&gt;

&lt;p&gt;Much earlier and that's the blind spot. Almost all counter-disinformation work begins the moment content reaches a platform. A post goes up, it gets flagged, it gets analyzed, maybe it gets taken down. But by then the operation has already succeeded or failed. Every decision that mattered which narrative, which audience, which platform, which framing to use and which to avoid was made before any of that, in a single document I call the briefing. The post you see is just the execution of a decision that was made days earlier, somewhere you're not watching. Detecting the post is detecting the smoke. The briefing is the fire.&lt;/p&gt;

&lt;p&gt;Q: So where does a briefing actually begin? With the narrative?&lt;/p&gt;

&lt;p&gt;No, and this surprises people. Briefings don't begin with a narrative. They begin with a context: a condition in the information environment where a particular narrative can land(as i writted in GN-067 report) . The narrative is chosen second, to fit the opening. There are two main starting points. The first is event-triggered something happens, a political announcement, a scandal, a disaster, and a prepared narrative moves into that window of attention within hours. The second is accumulated-tension there's no fresh event, just a pre-existing fault line in society that someone decides is ripe for activation. That second type is far harder to detect, because there's no external trigger to point at. It just looks like a topic that suddenly won't go away.&lt;/p&gt;

&lt;p&gt;Q: If everything is designed to look organic, how can you tell a briefed operation from a genuine community reacting to the news?&lt;/p&gt;

&lt;p&gt;This is the single most important signal in the report, so let me be precise about it. When a real community reacts to an event, it produces diversity. Many interpretations, many framings, people arguing with each other(without knowing why), genuine ideological mess. That's what authentic looks like. A briefed community produces alignment. Within hours you see the same framing, the same supporting points, the same chosen evidence, and this is the giveaway the same things being conspicuously not said. Organic communities argue. Briefed communities converge. The convergence is the fingerprint. Not what they say. The fact that independent people somehow all say it the same way.&lt;/p&gt;

&lt;p&gt;Q: Walk me through what's actually inside one of these documents.&lt;/p&gt;

&lt;p&gt;The anatomy is remarkably consistent. There's an opportunity context the situation being exploited. There's an objective, which is almost always left implicit, because writing down "we want people to distrust this institution" creates attribution risk. There's the narrative specification, which is the richest part: a core claim, two or three supporting points, the evidence to cite, the tone to strike and an avoidance section telling participants what not to say. Then there's target specification which platform, which audience, usually described by behavior rather than demographics, again to reduce traceability. And execution parameters timing and volume. But the most analytically interesting part of any briefing is what's deliberately absent: no named director, no financial instructions, no attribution to any state, and never any acknowledgment that the content is coordinated at all. The absences are as engineered as the contents.&lt;/p&gt;

&lt;p&gt;Q: That avoidance guidance telling people what not to say why does that matter so much to you as an analyst?&lt;/p&gt;

&lt;p&gt;Because it's the part nobody is trained to look for. Everyone watches what propaganda says. Almost no one watches what it carefully avoids. When a deployed narrative systematically steps around a specific counter-argument one that would come up naturally in any honest discussion of the topic that silence is a signal. Organic conversation includes the inconvenient points. Briefed conversation routes around them with suspicious consistency. What a campaign refuses to mention often tells you more than what it shouts. The signs for every operations of influenced the people are in the seed message ( the first messages ) you track the first messages you will see clearly is not organic&lt;/p&gt;

&lt;p&gt;Q: You describe a "calibration" problem at the heart of all this. What do you mean?&lt;/p&gt;

&lt;p&gt;This is the real skill of the people I call narrative architects. The briefing has to be specific enough that hundreds of independent participants produce recognizably consistent content otherwise there's no coordination signal, no operational effect. But it has to be vague enough that no single piece of that content could ever be held up as proof of coordination. Too specific exact phrasing, explicit instructions to post and you've created evidence. Too vague just a general ideological direction and execution falls apart, the message scatters, the operation fails. The narrow band between those two failures is where effective briefings live. Hitting that band repeatedly, across many operations, is a learned craft. It's writing.&lt;/p&gt;

&lt;p&gt;Q: This all comes from direct observation? You actually watched these patterns form?&lt;/p&gt;

&lt;p&gt;Over years, yes primarily across the 2014–2016 period when coordination still happened in semi-public forum spaces that a positioned monitor could observe, and then inferred forward from the signals that survived into the encrypted era. That's the part that's hard to convey. I was reading documents that had already decided what millions of people would see on their feeds in the coming days. The "organic public reaction" hadn't happened yet it was sitting in front of me, specified and scheduled. You don't forget what that does to your sense of what a comment section actually is.&lt;/p&gt;

&lt;p&gt;Q: And it's gotten harder to see since then.&lt;/p&gt;

&lt;p&gt;Considerably. The structural logic of the briefing hasn't changed at all the anatomy I described is stable from 2014 to today. What changed is the plumbing. Coordination moved from semi-public forums to encrypted, compartmentalized channels with role-based, need-to-know distribution. Guidance became more implicit, leaning on norms established in prior operations rather than spelling things out. Avoidance rules that used to be written in the briefing are now just understood. So detection went from "high, for anyone positioned to watch" to "medium, and only with deeper access and real structural pattern recognition." The signal is still there. It's just buried deeper, and you have to know the shape you're looking for.&lt;/p&gt;

&lt;p&gt;Q: So what's the counter-disinformation takeaway? What should defenders actually do differently?&lt;/p&gt;

&lt;p&gt;Move detection upstream. A program that starts looking when content hits a platform is permanently operating downstream of the decision that mattered. The briefing signal sudden narrative alignment, coordination-channel preparation activity, content-creator recruitment with oddly specific framing requirements appears before deployment. That's where the lead time is. Second: start analyzing avoidance patterns, not just content. Third: prebunking, which NATO StratCom research already identifies as the highest-impact intervention, works far better when it's calibrated to the specific framing an anticipated briefing will use, rather than to a vague topic area. Briefing-structure analysis is what makes prebunking precise instead of generic. None of this is something an automated platform does well. It needs an analyst who can hold a behavioral baseline in their head and notice when reality diverges from it.&lt;/p&gt;

&lt;p&gt;Q: Final question. The most unsettling line in the whole report is in the conclusion. The people spreading these narratives were they lying?&lt;/p&gt;

&lt;p&gt;No. That's the part that's genuinely hard to sit with. The community members who posted the briefed content had no idea they were executing a brief. They believed they were expressing their real convictions — and they were. That's the craft at its most refined. The briefing didn't manufacture beliefs and install them in people. It went looking for convictions that already existed, and then wrote precise instructions for how to express those convictions in the most operationally effective way at exactly the right moment. The people are sincere. The sincerity is the weapon. The document found it, aimed it, and timed it — and then made sure it would always look like it was never planned.&lt;/p&gt;




&lt;p&gt;Adrian Alexandru Stinga is the founder and Lead Analyst of &lt;em&gt;Aether Intel&lt;/em&gt;* (&lt;a href="https://aether-intel.com" rel="noopener noreferrer"&gt;https://aether-intel.com&lt;/a&gt;), an independent Cyber Threat Intelligence practice based in Brașov, Romania. GN-064, "Narrative Architects," is part of the GREY NEXUS deep-dive intelligence series (GN-061 through GN-070), available in full at aether-intel.com.*&lt;/p&gt;

&lt;p&gt;The full report includes the complete briefing anatomy, the deniability-gradient model, MITRE ATT&amp;amp;CK technique mapping, a four-phase detection framework, and a fictional composite briefing illustration. Public-source corroboration: NATO StratCom COE, EU DisinfoLab, and EEAS StratCom East. TLP:CLEAR unrestricted distribution.&lt;/p&gt;

&lt;p&gt;If you've observed coordination-channel activity consistent with active briefing preparation narrative-specification threads, content-creation coordination, or platform-targeting discussion report it to your national counter-disinformation authority or counterintelligence service. Reporting is not evidence of guilt. It is evidence of integrity.&lt;/p&gt;

&lt;p&gt;Read the full report GN-064 → aether-intel.com&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>behavior</category>
      <category>webdev</category>
    </item>
    <item>
      <title>Someone Is Keeping Score of Your Society's Pain</title>
      <dc:creator>Adrian Alexandru Stinga</dc:creator>
      <pubDate>Sun, 07 Jun 2026 15:14:33 +0000</pubDate>
      <link>https://dev.to/aetherintel/someone-is-keeping-score-of-your-societys-pain-2l9i</link>
      <guid>https://dev.to/aetherintel/someone-is-keeping-score-of-your-societys-pain-2l9i</guid>
      <description>&lt;p&gt;The Grievance Catalog: Why Your Population's Pain Is Already on File&lt;/p&gt;

&lt;p&gt;Adrian Alexandru Stinga | Lead Analyst, Aether Intel | June 2026&lt;/p&gt;

&lt;p&gt;A grievance, once catalogued by a hostile actor, has already become a munition. Only the firing date remains undecided.&lt;/p&gt;

&lt;p&gt;That's the conclusion of nearly two decades of monitoring Eastern European and Russian-speaking underground ecosystems. And it changes how we should think about hybrid threats entirely.&lt;/p&gt;

&lt;p&gt;This Is Not a Propaganda Problem. It Is a Memory Problem.&lt;/p&gt;

&lt;p&gt;We keep treating foreign influence operations as campaigns bounded events with a beginning, a peak, and an end. That framing is convenient for media reporting and political response. It is also wrong.&lt;/p&gt;

&lt;p&gt;What I've observed since 2014 is not a sequence of campaigns. It is the continuous operation of an archive. A slow, patient, distributed accumulation of human pain — harvested from open social media, regional news comments, closed Telegram groups, and protest movement chats — indexed, tagged, mirrored, and held ready for activation.&lt;/p&gt;

&lt;p&gt;The archive doesn't generate the crisis. It waits for the crisis and redirects it.&lt;/p&gt;

&lt;p&gt;I watched material being filed in 2014 and 2015. I assumed it had a half-life that grievances not used quickly would expire and lose their emotional charge. That is not what happened. I've seen the same testimonies, sometimes the same screenshots, redeployed in 2022 and 2023 with their original emotional charge fully intact.&lt;/p&gt;

&lt;p&gt;A grievance, properly catalogued, does not age. It waits.&lt;/p&gt;

&lt;p&gt;How the Catalog Works&lt;/p&gt;

&lt;p&gt;The architecture is deceptively simple. Four layers, none of which require sophisticated tooling or formal organisation.&lt;/p&gt;

&lt;p&gt;Layer 1 - Harvest. Open social media, news comment sections, closed groups, protest chats. The harvesters don't know they're harvesters. They're reading, screenshotting, saving things they find interesting.&lt;/p&gt;

&lt;p&gt;Layer 2 — Tagging. Material gets reposted into working threads, categorised by grievance type, region, demographic, exploitability. The taggers think they're having a conversation.&lt;/p&gt;

&lt;p&gt;Layer 3 — Storage. Pinned threads, screenshot folders, secondary channels, cross-posted to ensure no single takedown kills the archive. The mirrorers think they're preserving something valuable.&lt;/p&gt;

&lt;p&gt;Layer 4 — Activation. Pulled into messaging products, talking points, or used as a lens to identify individuals for future recruitment. Only at this layer is professional intent visible and by then the work of the first three layers was already done, for free, by people who would never describe what they were doing as intelligence collection.&lt;/p&gt;

&lt;p&gt;The cost of building this archive is patience, language fluency, and an absence of scruples about treating other people's pain as a resource.&lt;/p&gt;

&lt;p&gt;Five Categories of Pain, Faithfully Indexed&lt;/p&gt;

&lt;p&gt;Across the ecosystems I've monitored, five grievance types account for the vast majority of catalog content. They're harvested in parallel and activated based on which external trigger arrives first.&lt;/p&gt;

&lt;p&gt;Ethnic and minority tensions activated around local crime stories, school policy changes, census debates.&lt;/p&gt;

&lt;p&gt;Economic inequality and class resentment activated around energy price spikes, inflation reports, pension reforms.&lt;/p&gt;

&lt;p&gt;Religious and confessional divisions activated around religious anniversaries, clerical controversies, legal cases.&lt;/p&gt;

&lt;p&gt;Historical wounds and unresolved past activated around commemoration disputes, border tensions, revisionist controversies.&lt;/p&gt;

&lt;p&gt;Anti-institutional and anti-elite sentiment activated around corruption cases, institutional scandals, sovereignty debates.&lt;/p&gt;

&lt;p&gt;When a coordinated network can activate across all five categories simultaneously, the preparation was done years in advance by people who understood each terrain well enough to file it correctly.&lt;/p&gt;

&lt;p&gt;From Population Archive to Individual Targeting&lt;/p&gt;

&lt;p&gt;Here's where it gets personal. The grievance catalog is not only a messaging tool. It is a recruitment tool.&lt;/p&gt;

&lt;p&gt;Individual posts, accumulated over time, reveal the contours of a person their wounds, their loyalties, their resentments, their financial pressures. For an actor patient enough to read the archive longitudinally, the result is a low-cost behavioural dossier on people who never consented to be profiled.&lt;/p&gt;

&lt;p&gt;I observed the same operators tagging grievance material also flagging individual authors for future contact. The vocabulary was basic — variants of "useful," "approachable," "angry enough," "locally credible" but the discipline was consistent.&lt;/p&gt;

&lt;p&gt;The catalog of grievances and the catalog of exploitable individuals are not separate products. They are two views of the same dataset. This is the point where information operations become intelligence operations — and where data protection and national security genuinely converge.&lt;/p&gt;

&lt;p&gt;The Asymmetry Defenders Haven't Solved&lt;/p&gt;

&lt;p&gt;The core problem is not resources. It is memory horizon.&lt;/p&gt;

&lt;p&gt;The adversary's catalog operates on a decade-plus timeline. Entries from 2014 are still operationally live in 2026. Western defender institutions operate on budget cycles, political cycles, and personnel rotations. Lessons learned in one crisis are forgotten 24 to 36 months later when the team rotates.&lt;/p&gt;

&lt;p&gt;An adversary who remembers versus a defender who moves on that asymmetry is the structural condition under which everything else in the hybrid environment plays out.&lt;/p&gt;

&lt;p&gt;Defender responses framed around incident, campaign, and attribution will continue to win battles and lose the longer contest. The catalog operates on a decade horizon. Any defender posture organised on shorter horizons concedes the strategic terrain by default.&lt;/p&gt;

&lt;p&gt;What Needs to Change&lt;/p&gt;

&lt;p&gt;The answer is not to mirror adversarial tradecraft. Defender institutions cannot and should not maintain catalogs of their own populations' pain. The answer is to build analytical capability whose institutional memory survives the political and personnel cycles that currently bound it.&lt;/p&gt;

&lt;p&gt;EU EEAS, NATO StratCom COE, EU DisinfoLab, and national counter-disinformation units are the right starting institutions. The question is whether their mandate, budget, and continuity match the time horizon of the adversary.&lt;/p&gt;

&lt;p&gt;The lesson of nearly two decades of direct observation: wounds are not weapons by themselves. They become weapons when someone with patience writes them down.&lt;/p&gt;

&lt;p&gt;The full report (GN-069, TLP:CLEAR) is available at aether-intel.com as part of the GREY NEXUS series (GN-061 through GN-070).&lt;/p&gt;

&lt;p&gt;Adrian Alexandru Stinga is the founder and Lead Analyst of Aether Intel, an independent Cyber Threat Intelligence practice based in Brașov, Romania, specialising in Eastern European and Russian-speaking underground ecosystems, HUMINT tradecraft, behavioral analysis, and nation-state/hybrid warfare intelligence.*&lt;/p&gt;

&lt;h1&gt;
  
  
  CyberThreatIntelligence #HybridWarfare #Disinformation #InformationOperations #NationalSecurity #NATO #EU #OSINT #HUMINT #CTI #AetherIntel #GreyNexus #StrategicCommunications #Counterintelligence
&lt;/h1&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>behavior</category>
      <category>eu</category>
    </item>
  </channel>
</rss>
